From: Ibrahim, Mohammed (mibrahim@necunified.com)
Date: Wed Aug 02 2006 - 15:43:57 ART
Sasa,
You are right. Actually one of the group study members (Brad)
had fwd this information to me. You learn something everyday :)
http://www.ietf.org/rfc/rfc1123.txt
Responsible practices can make UDP suffice in the vast
majority of cases. Name servers must use compression
in responses. Resolvers must differentiate truncation
of the Additional section of a response (which only
loses extra information) from truncation of the Answer
section (which for MX records renders the response
unusable by mailers). Database administrators should
list only a reasonable number of primary names in lists
of name servers, MX alternatives, etc.
However, it is also clear that some new DNS record
types defined in the future will contain information
exceeding the 512 byte limit that applies to UDP, and
hence will require TCP. Thus, resolvers and name
servers should implement TCP services as a backup to
UDP today, with the knowledge that they will require
the TCP service in the future.
In modern DNS infrastructure, such cases where TCP queries are necessary
are becoming more common, not less common, but the RFC is true to form
-- the "vast majority" of DNS servers could filter TCP:53 to any IP that
does not require AXFR support and survive just fine. Some, however,
can't :)
Just something to consider.
Mohammed Ibrahim
CCIE # 16444 (Security)
-----Original Message-----
From: Sasa Milic [mailto:smilic2@pexim.co.yu]
Sent: Wednesday, August 02, 2006 9:46 AM
To: Ibrahim, Mohammed; security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Re: Fine Print
According to rfc (well, I've read it 10 years ago, hopefully it didn't
changed)
server can inform client that response is too big and that client should
use
tcp to retrieve whole record.
Sasa
----- Original Message -----
From: "Ibrahim, Mohammed" <mibrahim@necunified.com>
To: <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, July 25, 2006 10:46 PM
Subject: RE: Fine Print
> Read the question twice to confirm. If they say dns client to server
udp
> 53 is enough. They say allow communication to DNS server it can be
both
> for zone transfer (tcp 53) and udp 53
>
>
> Regards,
> Mohammed Ibrahim
> CCIE # 16444 (Security)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Robert Yee
> Sent: Thursday, July 20, 2006 10:19 PM
> To: Nuno Ceitil; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: Fine Print
>
> If you need any clarification on a question during the lab, I think
its
> best to ask the proctor. However the question should not be open
ended.
> Tell him/her that, depending on how the question is read, you can
> configure it A or B.
>
> I had a few instances during my lab and the proctor was able to
clarify
> the reading of the question for me without any issues.
>
> Also, I think sometimes candidates can read too much into a question.
>
> Robert Yee, CCIE 11716
>
> -----Original Message-----
> From: Nuno Ceitil [mailto:nuno@sts.co.za]
> Sent: Thursday, July 20, 2006 2:48 PM
> To: security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Fine Print
>
> Hi All,
>
> FOR THE LAB AND ONLY THE LAB - General Feeling
>
> ACL that needs to match DNS
> only udp 53
> or
> udp and tcp 53
>
> ACL to match PING
> only icmp
> or
> icmp and udp/echo/echo-reply
>
> ACL to match OSPF
> only ospf host ip host ip
> or
> ospf host ip host ip + ospf host ip 224.0.0.x
>
> Limit TCP intercept or CBAC sessions but only one set of high/low
values
> given - question implies setting global values
>
> only set global values
> or
> set global values and one minute values
>
> Thoughts and comments please.
>
> Thanks
>
>
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:55 ART