tcp/udp, clarification please

Bill Manning bmanning at ISI.EDU
Wed Oct 10 18:12:48 UTC 2001



	Some subset of DNS would work. Others would fail in odd ways.
	You can not presume that even with "minimal" setups that client
	requests won't exceed UDP packet size. Cutting off TCP will 
	prevent your organization from adopting better security tools,
	tools that are known to provide integrity checks on the data.
	Even things which may not be an improvement but are adopted
	"just because", things like Active Directory & GSSTSIG from
	a popular vendor push DNS into TCP because of the size of the
	response.

	Simple UDP is much more prone to data integrity corruption than
	data that uses TCP.  But your zones, your choice. Your support
	costs (opex) will go up if you cut TCP as you will have to deal
	with odd failures The apparent robustness of your sites will 
	decrease for both internal and external clients. 


% 
% So someone couldnt do a zone transfer if i left only UDP open and DNS would
% still work, so this would cut down the functionality that the rest of the
% world does not need correct? the world needs only the resolving portion, my
% setup is very simple and minimal, the zone transfers happen behind the
% firewall ect ect
% 
% 
% "Bill Manning" <bmanning at ISI.EDU> wrote in message
% news:9q1tp8$mrk at pub3.rc.vix.com...
% >
% > %
% > % basically its my understanding that using BIND with only UDP can be a
% bit
% > % more secure, my question is this, are there any types of OS's that
% require
% > % the resolving server to use TCP? or are there any other downsides to not
% > % letting TCP traffic through the firewall.
% > %
% > %     Reguards,
% > %     Eoin Miller
% > %
% >
% > neither is more secure than the other.  UDP works for small packets and
% > simple queries.  Complex RRsets and big packets (zone transfers, dynamic
% > updates, SIG/CERT RRs, A6 chaining, multiple AAAAs etc.) exceed UDP
% > packet limits and will "failover" to using TCP.
% >
% > --
% > --bill
% >
% >
% 
% 
% 


-- 
--bill


More information about the bind-users mailing list