DNS may use TCP for operations other then "bulk" operations. In the past, it used to be "ok" to block port 53 tcp, but these days, you may run into issues if you do so.
Traditionally, UDP DNS responses are limited to 512 bytes. Many larger responses exceed these 512 bytes. If a response exceeds 512 bytes, the UDP response will be truncated to 512 bytes, and the "truncate" bit in the response will be set. The client now has the option to request the full response via TCP. Again: This is perfectly normal and not a zone transfer. Responses tend to exceed 512 bytes if you are using DNSSEC. To accommodate the larger responses, a new feature, "EDNS0" was introduced. With this feature, your client will indicate that it is willing to receive UDP responses exceeding 512 bytes, and the fallback to TCP will not be necessary. But, you may end up with fragmented UDP traffic, and some firewalls have issues with the larger DNS responses. So if you block TCP port 53, you will only receive a partial response in these cases. Now in most cases, these partial responses still include enough data to "do business". But not if the DNS server you are querying is protected by an anti denial of service appliance, that returns empty truncated responses. In this case, without being able to fall back to TCP, your client will get no data at all. Throttling UDP traffic inbound is a good idea if you have an authoritative name server. In particular to block/throttle severely "ANY" queries. If your name server is recursive only, then it shouldn't accept any unsolicited inbound DNS traffic. What queries are you seeing in the DoS attacks? On Nov 13, 2012, at 12:56 PM, Tim Holloway <t...@mousetech.com> wrote: > DNS/RDNS should* be using udp. Port 53 tcp is for bulk operations like > zone transfers. My firewall permits port 53 UDP from outside, but not > port 53 tcp, since all the zone transfers are intranet. > > Actually, I had to put a throttle on port 53 UDP external inbound > traffic as well, since in recent months I've seen several instances of > being DDOS'ed because I was being exploited for DNS reflection attacks. > > Tim > > *Unless they aren't. > > On Fri, 2012-11-09 at 16:20 -0500, The Donald Cowart wrote: >> Just off the top of my head, one is using TCP, the other UDP??? >> >> --DC >> >> >> On Fri, Nov 9, 2012 at 4:17 PM, Robert Mckennon <robmcken...@gmail.com>wrote: >> >>> So...the issue is: >>> >>> Connected to the coorporate network via a vpn connection through our >>> new cisco ASA, for some reason Forward DNS queries fail, but Reverse >>> DNS queries work.... This is very baffling! >>> >>> I just can't image that the fire somehow is blocking forward lookups >>> but allowing reverse lookups, when icmp and filesharing all work (at >>> least via ip address). >>> >>> >>> Any thoughts??? >>> >>> Rob. >>> >>> --------------------------------------------------------------------- >>> Archive http://marc.info/?l=jaxlug-list&r=1&w=2 >>> RSS Feed http://www.mail-archive.com/list@jaxlug.org/maillist.xml >>> Unsubscribe list-unsubscr...@jaxlug.org >>> >>> >> >> > > > > --------------------------------------------------------------------- > Archive http://marc.info/?l=jaxlug-list&r=1&w=2 > RSS Feed http://www.mail-archive.com/list@jaxlug.org/maillist.xml > Unsubscribe list-unsubscr...@jaxlug.org >
smime.p7s
Description: S/MIME cryptographic signature
