Sorkin, David (David) DSORKIN at lucent.com
Wed Oct 2 16:05:18 UTC 2002

I've seen large SRV records that require TCP. These are used somehow by W2K and help indicate what services are available on W2K servers. I've administratively disabled zone transfers using ACLs but disabling tcp/53 could give defense in depth. There are 13 root servers because that number of NS records fits in a single udp packet. As far as network security I think that udp presents more problems since it is connectionless and can also be used to probe networks via inbound udp leaks.

David Sorkin <dsorkin at lucent.com>

> -----Original Message-----
> From: Bill Larson [mailto:wllarso at swcp.com]
> Sent: Wednesday, October 02, 2002 11:04 AM
> To: bind-users at isc.org
> Subject: DNS and TCP
> There is a recent/current thread about TCP packets being used for DNS
> communication, and this brought up a question for me.
> Can anyone provide any examples of "reasonable" DNS queries that would
> overflow a UDP packet and require retransmission using TCP?  Specific,
> non-contrived, examples would be appreciated.
> I fully understand that if too much data is being provided in the DNS
> response (>512 bytes) then TCP retransmission will be necessary.  My
> problem is that at work (which will remain nameless), someone managing
> the network has blocked incoming TCP traffic on port 53.  This means
> that, in general, no one can obtain DNS information using TCP.  This
> was done under the belief that the only reason for DNS to use TCP is
> for zone transfers, and that these must be blocked.
> I would like to provide them an example of where their blocking DNS
> services using TCP may cause problems.  Specific possibilities that I
> can imagine would include:
> 	Large numbers of glue records (lots of NS records for the zone)
> 	Large numbers of answers (multiple records, maybe MX records?)
> 	Large answers (a large TXT record)
> Contriving such a situation would be trivial, I have done this using
> long TXT records, but can anyone provide an example that really is
> being used out there?
> Thanks,
> Bill Larson (wllarso at swcp.com)

More information about the bind-users mailing list