On Fri, Feb 22, 2002 at 08:27:48PM +0100, Patrick Schaaf wrote: > On Fri, Feb 22, 2002 at 10:32:10AM -0800, Tom Marshall wrote: > > DNS uses UDP. TCP is normally only used for zone transfers. There is > > significant philosophical discussion about this issue every time it is > > raised.. apparently some version(s) of AIX always use TCP for DNS requests. > > But it works for about 99.999% of all requests. > > It's not a philosophical question, but a technical question about whether > you support the standard. You can make up rationalisations about why > your standard violation won't affect you, but those self-justifications > are irrelevant. Your implementation is either standard-conforming, or not. > Blocking TCP DNS requests isn't, plain and simple. Face it. Say it out loud: > > I advocate implementing DNS in a broken way, > and I have no good technical reason for it, > just some hearsay-it's-safer-that-way feeling. > > You are free to call that philosophy. I chose to call it stupidity.
Call it what you like. When the next bind exploit comes out, my machine isn't going to get hacked. If that means that someone with an old version of AIX cannot lookup my domain names, then that's just fine with me. If that means that someone is going to argue with me on a mailing list, that's fine too. It's not worth enabling TCP when the valid-request-to-hacker ratio is so close to zero. Sure, it's not a technical reason. It's a security reason. -- Unplug and get connected: http://www.seattlewireless.net/
