even queries beyond a certain size (I think 512bytes) will go on TCP.
http://www.maradns.org/dnstcp_security.html
rkt
-Original Message-
From: [EMAIL PROTECTED] [mailto:Leonard.Ong@;nokia.com]
Sent: Thursday, October 31, 2002 5:51 PM
To: [EMAIL PROTECTED]
Subject: RE: TCP DNS requests
y, October 31, 2002 5:51 PM
To: [EMAIL PROTECTED]
Subject: RE: TCP DNS requests
Yes, I am confirming this. Zone transfer uses TCP/53, while queries use
UDP/53.
Regards,
Leonard Ong
Network Security Specialist, APAC
NOKIA
Email. [EMAIL PROTECTED]
Mobile. +65 9431 6184
Phone. +65 6723 1724
[mailto:danielrm26@;hotmail.com]
Sent: Friday, November 01, 2002 1:20 AM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests
Zone Transfers use TCP instead of UDP on port 53. That is most likely
what you are seeing.
--Daniel
> We are reporting TCP based DNS
It is a common misconception that TCP DNS is only for zone transfers. The
DNS specification calls for the use of TCP whenever the response exceeds
the size of a UDP packet (512 bytes). Zone transfers happen to fall within
this category of large responses; however, some client requests can result
'security-basics'
~Subject: RE: TCP DNS requests
~
~
~Zone Transfers use TCP instead of UDP on port 53. That is most likely
~what you are seeing.
~
~--Daniel
~
~> We are reporting TCP based DNS requests to one of our DNS servers
~coming
~> from internal, client IP addresses. My manage
your DNS server.
- -Original Message-
From: Raghu Chinthoju [mailto:chraghu@;hyd.wilco-int.com]
Sent: Wednesday, October 30, 2002 2:43 PM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests
TCP/DNS(53) is used for zone transfer. To be simple, TCP/DNS
Carl
I believe that DNS lookups use UDP because the request and response can
each fit into one packet. If a DNS request is for some reason larger
than 512 bytes which is the maximum size for a UDP packet (RFC1035 [6])
then the client will use TCP instead. Closing this port to internal
clients co
One program I know of that uses TCP requests for DNS requests is Microsoft's
SMTP server that's bundled with IIS. There's a KB artilcle on MS's website
that states that the RFC for DNS servers should be able to accept UDP and
TCP requests. MS took this to extreme and set their SMTP server to ONLY u
Zone Transfers use TCP instead of UDP on port 53. That is most likely
what you are seeing.
--Daniel
> We are reporting TCP based DNS requests to one of our DNS servers
coming
> from internal, client IP addresses. My manager would like to block
the TCP
> packets. What or why would their be rand
TCP/DNS(53) is used for zone transfer. To be simple, TCP/DNS(53) is used
between the name servers to exchange/update there name databases where as
UDP/DNS(53) is used for querying.
I see two possibilities for having generated TCP based DNS requests in your
network.
1. You must have another DNS se
I believe DNS uses TCP in certain circumstances. If I recall correctly, if
the request to the DNS server generates a reply that's too big for UDP, it
will use TCP instead. If you block TCP, you'll see strange behavior from
your DNS server - it'll work sometimes but not others. Your internal
clie
At 08:46 AM 10/30/2002, Carl R Diliberto wrote:
We are reporting TCP based DNS requests to one of our DNS servers coming
from internal, client IP addresses. My manager would like to block the TCP
packets. What or why would their be random TCP packets? We monitored
several clients and it appears
udp is used for normal domain queries. tcp is used for zone transfers and
large queries. Stopping it at the firewall (tcp/53) can be safe and will
definitely stop any zone transfers, but the occasional DNS query might not
work. It is better to use named.conf to control zone transfers.
M.W.
13 matches
Mail list logo