Re: permit udp 53

From: Anthony Pace (anthonypace@xxxxxxxxxxx)
Date: Sat Jul 13 2002 - 19:13:49 GMT-3


   
I seem to remember reading that the distintion on DNS using UDP or TCP
was tath one was for itteritive queries and one was zone transfers. Are
we saying that the size of the DNS segmnet is determining which to use?

Anthony Pace

On Sat, 13 Jul 2002 17:06:48 -0400, "Brant Stevens"
<branto@myrealbox.com> said:
> DNS requests that exceeds 512 bytes in length will automatically use
> TCP.
> To be RFC compliant, you should allow TCP and UDP. I've seen posts on
> boards related to BIND with people saying they don't allow both, and
> the
> responses that are given are unreal. Granted, they need to get a life,
> but
> they are right... =)
>
> -Brant
>
>
> ----- Original Message -----
> From: "Jim Brown" <Jim.Brown@caselogic.com>
> To: <jezerski@broadcom.com>; "Jim Brown" <Jim.Brown@caselogic.com>;
> "'Yakout
> esmat'" <yesmat@iprimus.com.au>; "'kpalmer'" <kip.palmer@verizon.net>;
> <ccielab@groupstudy.com>
> Sent: Saturday, July 13, 2002 1:45 PM
> Subject: RE: permit udp 53
>
>
> > If I'm not mistaken the RFC states requests can use either UDP or TCP for
> > lookups. The UDP format is typically used for lookups but isn't mandatory
> > per the RFC.
> >
> > If the lookup exceeds the UDP packet size limitation for a single packet I
> > believe the information is transmitted via TCP, even for lookups.
> Basically
> > if the response lookup packet is truncated the client is supposed to
> resend
> > the request via a TCP session.
> >
> > I personally block TCP 53 because I know my lookups do not exceed the
> > limitation and there is no reason for anyone to perform transfers from my
> > zone.
> >
> > I think it is a common misconception DNS lookups must ALWAYS use UDP for
> > lookups.
> >
> >
> > -----Original Message-----
> > From: Joseph Ezerski [mailto:jezerski@broadcom.com]
> > Sent: Saturday, July 13, 2002 10:47 AM
> > To: 'Jim Brown'; 'Yakout esmat'; 'kpalmer'; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > I think DNS ZOne Transfers use TCP 53. Lookups use UDP.
> >
> > -Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Jim Brown
> > Sent: Saturday, July 13, 2002 9:27 AM
> > To: 'Yakout esmat'; kpalmer; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > If I'm not mistaken, in certain cases DNS lookups can use TCP 53. I know
> > downloads use TCP 53 but depending on the lookup size I believe lookups
> can
> > also use TCP 53.
> >
> > -----Original Message-----
> > From: Yakout esmat [mailto:yesmat@iprimus.com.au]
> > Sent: Friday, July 13, 2001 7:39 AM
> > To: kpalmer; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > Shouldn't the second line in the access-list be like that:
> >
> > access-list 105 permit udp [x.x.x.0 0.0.0.255] gt 1023 [x.x.x.0 0.0.0.255]
> > eq 53 log
> >
> >
> > Which means that the source udp port number is greater than 1023 and
> > destination port is UDP 53. Isn't that the way dns works?
> >
> > I may be totally wrong
> >
> > Yakout
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > kpalmer
> > Sent: Saturday, July 13, 2002 10:49 PM
> > To: ccielab@groupstudy.com
> > Subject: permit udp 53
> >
> >
> > For anyone who cares, here's a tested dns filter.
> > What a moment of incompetence? I mean, I've worked with
> > PIX on a daily basis and have set my share of perimeter
> > ACL's. But get me on my home network and all bets are off.
> >
> > Actually, I think the PIX runs a fixup protocol on DNS, like
> > FTP,SMTP,etc.
> > Maybe that's why I drew a blank. Still no excuse.
> >
> >
> > access-list 105 permit tcp any x.x.0.0 0.0.y.x established
> > access-list 105 permit udp [x.x.x.0 0.0.0.255] eq 53 [x.x.x.0 0.0.0.255]
> > gt 1023 log
> > dns servers inside subnets
> >
> > Log it to test it.
> >
> > interface serial 1
> > ip access-group 105 in
> >
> >
> > Kip Palmer
> > kip.palmer@verizon.net
> > 909.374.6865 cell
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Privacy Notice:
> > This message is intended only for the use of the individual or entity to
> > whom it is addressed and may contain information that is privileged,
> > confidential, or exempt from disclosure under applicable federal or
> > state law. If the reader of this message is not the intended recipient
> > or the employee or agents responsible for delivering the message to the
> > intended recipient you are hereby notified that any dissemination,
> > distribution, or copying of this message is strictly prohibited. If you
> > have received this communication in error, please return to:
> > <mailto:kip.palmer@verizon.net> kip.palmer@verizon.net. THANK YOU!
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:29 GMT-3