Hi Guys,
All things being equal (which they're usually not) you could use the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...
-J
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Be
On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
All things being equal (which they're usually not) you could use
the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...
Then most are incredibly stupid.
Those a
On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:
On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
All things being equal (which they're usually not) you could use
the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security r
On Tue, 07 Aug 2007 14:38:06 EDT, "Patrick W. Gilmore" said:
>> In addition, any UDP truncated response needs to be retried via
>> TCP- blocking it would cause a variety of problems.
> Since we are talking about authorities here, one can control the size
> of ones responses.
Barely.
% dig ao
On Aug 7, 2007, at 3:45 PM, [EMAIL PROTECTED] wrote:
On Tue, 07 Aug 2007 14:38:06 EDT, "Patrick W. Gilmore" said:
In addition, any UDP truncated response needs to be retried via
TCP- blocking it would cause a variety of problems.
Since we are talking about authorities here, one can control
This has been a pain for me for years. I have tried to reason with
security people about this and, while they don't dispute my reasoning,
they always end up saying that it is the "standard" practice and that,
lacking any evidence of what it might be breaking, it will continue to
be blocked. And
As for being "incredibly stupid", well, as I have said in private, calling a
bunch of people rude names without even asking them why they are doing what
you think is so stupid is .. uh .. probably not very bright. :) Unless, of
course, you want everyone else passing judgement on how you run y
> Date: Tue, 7 Aug 2007 16:33:22 -0400 (EDT)
> From: Donald Stahl <[EMAIL PROTECTED]>
>
> > This has been a pain for me for years. I have tried to reason with
> > security people about this and, while they don't dispute my reasoning,
> > they always end up saying that it is the "standard" practice
> The point is, if you are the authority, you know how big the packet
> is. If you know it ain't over 512, then you don't need TCP.
>
> Or are you saying you do? Wouldn't it be 'incredibly stupid' for
> recursive servers to -require- TCP, even for < 512 byte packets?
A TCP query is just as val
On Tue, 07 Aug 2007 16:10:17 EDT, "Patrick W. Gilmore" said:
> The point is, if you are the authority, you know how big the packet
> is. If you know it ain't over 512, then you don't need TCP.
Right. But remember the discussion is that *we* (for some value of "we")
are querying some *other* n
On Tue, Aug 07, 2007 at 01:50:33PM -0700, Kevin Oberman wrote:
> that security types (I mean those with a police/physical security
> background) don't must care for these arguments. It usually comes down
> to "lock and bar every door unless you can prove to them that there is a
> need to have the
On Tue, 7 Aug 2007, Donald Stahl wrote:
It has nothing to do with judging how one runs their network or any other
such nonsense. The RFC's say TCP 53 is fine. If you don't want to follow the
rules, fine, but have the temerity to admit that it is stupid.
I don't want to wade into this particu
On Aug 7, 2007, at 2:23 PM, Andrew Sullivan wrote:
On Tue, Aug 07, 2007 at 01:50:33PM -0700, Kevin Oberman wrote:
that security types (I mean those with a police/physical security
background) don't must care for these arguments. It usually comes
down to "lock and bar every door unless you
Hi,
On Aug 7, 2007, at 1:33 PM, Donald Stahl wrote:
Can someone, anyone, please explain to me why blocking TCP 53 is
considered such a security enhancement? It's a token gesture and
does nothing to really help improve security. It does, however,
cause problems.
It has been argued that it
Dear colleagues,
I apologise for replying twice in the same thread (especially as I
tend not to post here very much, on the grounds that I usually don't
know what I'm talking about). I feel compelled to object to the
below remark, however, because I think it gets at the heart of the
problem.
On
On Tue, 7 Aug 2007, Donald Stahl wrote:
>
> > As for being "incredibly stupid", well, as I have said in private, calling a
> > bunch of people rude names without even asking them why they are doing what
> > you think is so stupid is .. uh .. probably not very bright. :) Unless, of
> > course,
> The answer is simple- because they are supposed to be allowed. By
disallowing
> them you are breaking the agreed upon rules for the protocol. Before
> long it becomes impossible to implement new features because you can't
be
> sure if someone else hasn't broken something intentionally.
I don
> On Aug 7, 2007, at 4:33 PM, Donald Stahl wrote:
> > If you don't like the rules- then change the damned protocol. Stop
> > just doing whatever you want and then complaining when other people
> > disagree with you.
> I think this last part is the key.
> Remember the old adage: "My network, My
18 matches
Mail list logo