From: Joseph Ezerski (jezerski@xxxxxxxxxxxx)
Date: Sat Jul 13 2002 - 22:02:45 GMT-3
Jim:
Thanks for the clarification. Every little bit of knowledge helps.
-Joe
-----Original Message-----
From: Jim Brown [mailto:Jim.Brown@caselogic.com]
Sent: Saturday, July 13, 2002 3:26 PM
To: 'Anthony Pace'; Brant Stevens; Jim Brown; jezerski@broadcom.com;
'Yakout esmat'; 'kpalmer'; ccielab@groupstudy.com
Subject: RE: permit udp 53
If there is too much data for the lookup to fit into a single 512 UDP packet
the truncate flag is marked in the packet. It is then the responsibility of
the requesting client to open a TCP session on port 53 and make the request
again.
Lookups exceeding 512 bytes are rare and this behavior is the exception, but
DNS lookups could still use TCP under certain circumstances.
If you read the RFC, I believe it doesn't state the method used for lookups.
You could use TCP or UDP according to the RFC and still be within the
guidelines. The de facto standard is the use of UDP.
This is all just gobbly gook. I bet 99.999% of the requests are UDP port 53.
I was just trying to highlight the fact that valid requests can use TCP.
They very rarely do and this UDP vs. TCP thing could probably be classified
as a piece of geek trivia.
-----Original Message-----
From: Anthony Pace [mailto:anthonypace@fastmail.fm]
Sent: Saturday, July 13, 2002 4:14 PM
To: Brant Stevens; Jim Brown; jezerski@broadcom.com; 'Yakout esmat';
'kpalmer'; ccielab@groupstudy.com
Subject: Re: permit udp 53
I seem to remember reading that the distintion on DNS using UDP or TCP
was tath one was for itteritive queries and one was zone transfers. Are
we saying that the size of the DNS segmnet is determining which to use?
Anthony Pace
On Sat, 13 Jul 2002 17:06:48 -0400, "Brant Stevens"
<branto@myrealbox.com> said:
> DNS requests that exceeds 512 bytes in length will automatically use
> TCP.
> To be RFC compliant, you should allow TCP and UDP. I've seen posts on
> boards related to BIND with people saying they don't allow both, and
> the
> responses that are given are unreal. Granted, they need to get a life,
> but
> they are right... =)
>
> -Brant
>
>
> ----- Original Message -----
> From: "Jim Brown" <Jim.Brown@caselogic.com>
> To: <jezerski@broadcom.com>; "Jim Brown" <Jim.Brown@caselogic.com>;
> "'Yakout
> esmat'" <yesmat@iprimus.com.au>; "'kpalmer'" <kip.palmer@verizon.net>;
> <ccielab@groupstudy.com>
> Sent: Saturday, July 13, 2002 1:45 PM
> Subject: RE: permit udp 53
>
>
> > If I'm not mistaken the RFC states requests can use either UDP or TCP
for
> > lookups. The UDP format is typically used for lookups but isn't
mandatory
> > per the RFC.
> >
> > If the lookup exceeds the UDP packet size limitation for a single packet
I
> > believe the information is transmitted via TCP, even for lookups.
> Basically
> > if the response lookup packet is truncated the client is supposed to
> resend
> > the request via a TCP session.
> >
> > I personally block TCP 53 because I know my lookups do not exceed the
> > limitation and there is no reason for anyone to perform transfers from
my
> > zone.
> >
> > I think it is a common misconception DNS lookups must ALWAYS use UDP for
> > lookups.
> >
> >
> > -----Original Message-----
> > From: Joseph Ezerski [mailto:jezerski@broadcom.com]
> > Sent: Saturday, July 13, 2002 10:47 AM
> > To: 'Jim Brown'; 'Yakout esmat'; 'kpalmer'; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > I think DNS ZOne Transfers use TCP 53. Lookups use UDP.
> >
> > -Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Jim Brown
> > Sent: Saturday, July 13, 2002 9:27 AM
> > To: 'Yakout esmat'; kpalmer; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > If I'm not mistaken, in certain cases DNS lookups can use TCP 53. I know
> > downloads use TCP 53 but depending on the lookup size I believe lookups
> can
> > also use TCP 53.
> >
> > -----Original Message-----
> > From: Yakout esmat [mailto:yesmat@iprimus.com.au]
> > Sent: Friday, July 13, 2001 7:39 AM
> > To: kpalmer; ccielab@groupstudy.com
> > Subject: RE: permit udp 53
> >
> >
> > Shouldn't the second line in the access-list be like that:
> >
> > access-list 105 permit udp [x.x.x.0 0.0.0.255] gt 1023 [x.x.x.0
0.0.0.255]
> > eq 53 log
> >
> >
> > Which means that the source udp port number is greater than 1023 and
> > destination port is UDP 53. Isn't that the way dns works?
> >
> > I may be totally wrong
> >
> > Yakout
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > kpalmer
> > Sent: Saturday, July 13, 2002 10:49 PM
> > To: ccielab@groupstudy.com
> > Subject: permit udp 53
> >
> >
> > For anyone who cares, here's a tested dns filter.
> > What a moment of incompetence? I mean, I've worked with
> > PIX on a daily basis and have set my share of perimeter
> > ACL's. But get me on my home network and all bets are off.
> >
> > Actually, I think the PIX runs a fixup protocol on DNS, like
> > FTP,SMTP,etc.
> > Maybe that's why I drew a blank. Still no excuse.
> >
> >
> > access-list 105 permit tcp any x.x.0.0 0.0.y.x established
> > access-list 105 permit udp [x.x.x.0 0.0.0.255] eq 53 [x.x.x.0 0.0.0.255]
> > gt 1023 log
> > dns servers inside subnets
> >
> > Log it to test it.
> >
> > interface serial 1
> > ip access-group 105 in
> >
> >
> > Kip Palmer
> > kip.palmer@verizon.net
> > 909.374.6865 cell
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Privacy Notice:
> > This message is intended only for the use of the individual or entity to
> > whom it is addressed and may contain information that is privileged,
> > confidential, or exempt from disclosure under applicable federal or
> > state law. If the reader of this message is not the intended recipient
> > or the employee or agents responsible for delivering the message to the
> > intended recipient you are hereby notified that any dissemination,
> > distribution, or copying of this message is strictly prohibited. If you
> > have received this communication in error, please return to:
> > <mailto:kip.palmer@verizon.net> kip.palmer@verizon.net. THANK YOU!
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:29 GMT-3