Not to toss flammables onto the pyre.
BUT there is a large difference from what the RFC's allow and common
practice. In our shop TCP is blocked to all but authoratative
secondaries as TCP is sinply too easy to DoS a DNS server with. We
simply don't need a few thousand drones clogging the TCP connection
table all trying to do zone transfers ( yes it happened and logs show
drones are still trying )
For a long time there has been a effective practice of
UDP == resolution requests
TCP == zone transfers
It would have been better if a separate port had been defined for zone
transfers as that would obviate the need for a application layer gateway
to allow TCP transfers so that zone transfers can be blocked and
resolution requests allowed for now all TCP is blocked.
Now just because someone has a bright idea they drag out a 20 y/o RFC
and say SEE, SEE you must allow this because the RFC says so all the
while ignoring the 20 years of operational discipline
that RFC was written when the internet was like the quad at college
everyone knew one and other and we were all working towards a common
goal of interoperability and open systems , These days the net is more
like a seedy waterfront after midnight where criminal gangs are waiting
to ambush the unwary and consequently networks need to be operated from
that standpoint.
At the University networking level it is extremely difficult as we need
to maintain a open network as much as possible but protect our
infrastructure services so that they have 5 nines of availability
back in the day a few small hosts would serve DNS nicely and we did not
have people trying to take them down and/or infecting local hosts and
attempting DHCP starvation attacks. And no we are not at the 5 nines
level but we are working on it.
- Scott
Randy Bush wrote:
If my server responded to TCP queries from anyone other than a secondary
server, I would be VERY concerned.
you may want to read the specs
randy
