1351 PTRs for 1 IP

Pawel Rogocz pawel at rogocz.com
Tue Feb 5 20:41:19 UTC 2002

Just to clarify:

I do *not* administer the server in question. It was something I
saw, when my server was making a request. 

I think the DNS server should be happy with whatever answer it gets over
UDP, as I do not think any application is capable of making use of all
3 x 65535 records, plus you have always a chance of overflowing some buffers
somewhere, when you get more data then you were expecting. 
511 bytes is enough for me to get what I want, I do not need all 3 x 65535
records that could be stuffed in the response.

Blocking TCP queries would be a security measure to prevent rogue
servers from sending too much data, more then I really care to get.

An old bug from sendmail comes to mind, when by sending a malformed identd
response you could take over a server.


On Tue, Feb 05, 2002 at 12:21:49PM -0800, Nate Campi wrote:
> On Tue, Feb 05, 2002 at 08:17:02PM +0000, phn at icke-reklam.ipsec.nu wrote:
> > 
> > Pawel Rogocz <pawel at rogocz.com> wrote:
> > 
> > > Is there a way to prevent bind from making outgoing TCP connections ?
> > Yes. A firewall is one way. DNS however requires TCP so it's more
> > like a black cloth covering your lamp.
> > 
> > Can you read with such a lamp as light ??
> Pawel, share what you're trying to accomplish. If it's security you're
> after, there's a hell of a lot more to (attempting to) secure BIND than
> turning off TCP to/from your server.
> -- 
> Nate Campi     Job: hostmaster at lycos.com and root at wired.com
> "The report of my death was an exaggeration." 
>  -Mark Twain, After reading his own obituary, June 2, 1897  


More information about the bind-users mailing list