From: Jim Brown (Jim.Brown@xxxxxxxxxxxxx)
Date: Sat Jul 13 2002 - 14:45:03 GMT-3
If I'm not mistaken the RFC states requests can use either UDP or TCP for
lookups. The UDP format is typically used for lookups but isn't mandatory
per the RFC.
If the lookup exceeds the UDP packet size limitation for a single packet I
believe the information is transmitted via TCP, even for lookups. Basically
if the response lookup packet is truncated the client is supposed to resend
the request via a TCP session.
I personally block TCP 53 because I know my lookups do not exceed the
limitation and there is no reason for anyone to perform transfers from my
zone.
I think it is a common misconception DNS lookups must ALWAYS use UDP for
lookups.
-----Original Message-----
From: Joseph Ezerski [mailto:jezerski@broadcom.com]
Sent: Saturday, July 13, 2002 10:47 AM
To: 'Jim Brown'; 'Yakout esmat'; 'kpalmer'; ccielab@groupstudy.com
Subject: RE: permit udp 53
I think DNS ZOne Transfers use TCP 53. Lookups use UDP.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jim Brown
Sent: Saturday, July 13, 2002 9:27 AM
To: 'Yakout esmat'; kpalmer; ccielab@groupstudy.com
Subject: RE: permit udp 53
If I'm not mistaken, in certain cases DNS lookups can use TCP 53. I know
downloads use TCP 53 but depending on the lookup size I believe lookups can
also use TCP 53.
-----Original Message-----
From: Yakout esmat [mailto:yesmat@iprimus.com.au]
Sent: Friday, July 13, 2001 7:39 AM
To: kpalmer; ccielab@groupstudy.com
Subject: RE: permit udp 53
Shouldn't the second line in the access-list be like that:
access-list 105 permit udp [x.x.x.0 0.0.0.255] gt 1023 [x.x.x.0 0.0.0.255]
eq 53 log
Which means that the source udp port number is greater than 1023 and
destination port is UDP 53. Isn't that the way dns works?
I may be totally wrong
Yakout
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
kpalmer
Sent: Saturday, July 13, 2002 10:49 PM
To: ccielab@groupstudy.com
Subject: permit udp 53
For anyone who cares, here's a tested dns filter.
What a moment of incompetence? I mean, I've worked with
PIX on a daily basis and have set my share of perimeter
ACL's. But get me on my home network and all bets are off.
Actually, I think the PIX runs a fixup protocol on DNS, like
FTP,SMTP,etc.
Maybe that's why I drew a blank. Still no excuse.
access-list 105 permit tcp any x.x.0.0 0.0.y.x established
access-list 105 permit udp [x.x.x.0 0.0.0.255] eq 53 [x.x.x.0 0.0.0.255]
gt 1023 log
dns servers inside subnets
Log it to test it.
interface serial 1
ip access-group 105 in
Kip Palmer
kip.palmer@verizon.net
909.374.6865 cell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Privacy Notice:
This message is intended only for the use of the individual or entity to
whom it is addressed and may contain information that is privileged,
confidential, or exempt from disclosure under applicable federal or
state law. If the reader of this message is not the intended recipient
or the employee or agents responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please return to:
<mailto:kip.palmer@verizon.net> kip.palmer@verizon.net. THANK YOU!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:28 GMT-3