[dns-operations] DNS Issue

John Kristoff jtk at cymru.com
Fri Apr 26 16:00:39 UTC 2013


On Fri, 26 Apr 2013 12:24:01 +0000
"Cihan SUBASI (GARANTI TEKNOLOJI)" <CihanS at garanti.com.tr> wrote:

> Also can someone explain why tcp53 should be allowed on the firewalls
> if dns is behind a firewall?

DNS over TCP is not just for zone transfers.  Many legitimate queries
and answers, will be carried over TCP.  Usually this will occur in one
of two scenarios:

  1. An answer does not fit into single, negotiated, through EDNS0 or
     not, UDP message.

  2. An operator is forcing DNS to switch-over to TCP to mitigate
     spoofed source address queries, usually in response to some sort of
     packet flooding attack.  Some in-line gear has done this in the
     past, but more recently it is being put directly into
     implementations.  See http://redbarn.org/dns/ratelimits for
     details.

IETF RFC 5966 updates 1035 and 1123 to specify that DNS over TCP must
be supported in implementations.  See that document and this generic
sounding talk almost a decade ago for some additional discussion about
why disallowing TCP can be harmful:

  DNS Anomalies and Their Impact on DNS Cache Servers
  <http://www.nanog.org/meetings/nanog32/abstracts.php?pt=NTY4Jm5hbm9nMzI=&nm=nanog32>

Note, rarely in my experience does a query start with TCP outside of
troubleshooting scenarios, but it is not infeasible and it is not hard
to imagine it being done.

> And why auditors do not like tcp53 open to public?

They may have an outdated, naive view of what should be open and
what shouldn't be?  Show them the above and ask them why.  I'd be
curious what the response is.

John



More information about the dns-operations mailing list