On Fri, Feb 22, 2002 at 02:09:50PM -0800, Tom Marshall wrote: > On Fri, Feb 22, 2002 at 08:27:48PM +0100, Patrick Schaaf wrote: > > On Fri, Feb 22, 2002 at 10:32:10AM -0800, Tom Marshall wrote: > > > DNS uses UDP. TCP is normally only used for zone transfers. There is > > > significant philosophical discussion about this issue every time it is > > > raised.. apparently some version(s) of AIX always use TCP for DNS requests. > > > But it works for about 99.999% of all requests. > > > > It's not a philosophical question, but a technical question about whether > > you support the standard. You can make up rationalisations about why > > your standard violation won't affect you, but those self-justifications > > are irrelevant. Your implementation is either standard-conforming, or not. > > Blocking TCP DNS requests isn't, plain and simple. Face it. Say it out loud: > > > > You are free to call that philosophy. I chose to call it stupidity. > > Call it what you like. When the next bind exploit comes out, my machine > isn't going to get hacked. If that means that someone with an old version > of AIX cannot lookup my domain names, then that's just fine with me. If > that means that someone is going to argue with me on a mailing list, that's > fine too. It's not worth enabling TCP when the valid-request-to-hacker > ratio is so close to zero. Sure, it's not a technical reason. It's a > security reason.
I'm neither agreeing or disagreeing here, but your statement assumes that the next BIND exploit will only be possible over TCP. How do you know this? -- Nate "Smash forehead on keyboard to continue." -Anon.
