Nate Campi wrote: > > On Fri, Feb 22, 2002 at 02:09:50PM -0800, Tom Marshall wrote: > > On Fri, Feb 22, 2002 at 08:27:48PM +0100, Patrick Schaaf wrote: > > > On Fri, Feb 22, 2002 at 10:32:10AM -0800, Tom Marshall wrote: > > > > DNS uses UDP. TCP is normally only used for zone transfers. There is > > > > significant philosophical discussion about this issue every time it is > > > > raised.. apparently some version(s) of AIX always use TCP for DNS requests. > > > > But it works for about 99.999% of all requests. > > > > > > It's not a philosophical question, but a technical question about whether > > > you support the standard. You can make up rationalisations about why > > > your standard violation won't affect you, but those self-justifications > > > are irrelevant. Your implementation is either standard-conforming, or not. > > > Blocking TCP DNS requests isn't, plain and simple. Face it. Say it out loud: > > > > > > You are free to call that philosophy. I chose to call it stupidity. > > > > Call it what you like. When the next bind exploit comes out, my machine > > isn't going to get hacked. If that means that someone with an old version > > of AIX cannot lookup my domain names, then that's just fine with me. If > > that means that someone is going to argue with me on a mailing list, that's > > fine too. It's not worth enabling TCP when the valid-request-to-hacker > > ratio is so close to zero. Sure, it's not a technical reason. It's a > > security reason. > > I'm neither agreeing or disagreeing here, but your statement assumes > that the next BIND exploit will only be possible over TCP. How do you > know this?
It also assumes one has no secondary zones. Frankly, I can't imagine an authoritative zone not making provisions to avoid a single point of failure by not setting up at least one secondary zone on another network. Think MX and alternate mail drops in the event your connection is down more than 4 hrs. Use views & keys in a current bind to stop unauthorized zone transfers & exploits on tcp rather than packet filters. IMHO. Regards, Doug
