I could start spouting war stories about things that have broken with 53/tcp blocked as I'm sure others can as well.
you may not get complaints becouse the people who try to get to you don't care enough about your company to complain, they just go elsewhere. as was pointed out by others there are clients out there that use tcp instead of udp, they are not what is expected, but technicly they do follow the RFCs if your company is willing to write off all the potential contacts who use these machines or who use ISPs who use such machines that is your choice. but don't try to tell us your way is 'correct'. it sacrafices interoperability for security (or at least the perception of it). This is a deliberate choice on your part and you are apparently willing to live with the concequences. David Lang On Mon, 25 Feb 2002, Tom Marshall wrote: > On Mon, Feb 25, 2002 at 09:30:31AM +0000, George Ross wrote: > > > DNS uses UDP. TCP is normally only used for zone transfers. There is > > > significant philosophical discussion about this issue every time it is > > > raised.. apparently some version(s) of AIX always use TCP for DNS requests. > > > But it works for about 99.999% of all requests. > > > > Not this again! It's not a philosophical discussion, it's just that some > > people haven't read the RFCs. The spec requires nameservers to answer > > queries on BOTH 53/tcp and 53/udp. If yours doesn't it's broken. If your > > firewall blocks tcp queries it's broken. End of story. > > You should have seen that I am fully aware of the implications by reading my > message. I know exactly what the RFCs say. I have read them thoroughly and > I have written resolver code. I know that refusing TCP/53 is not in strict > compliance and I know that nobody uses TCP/53 for queries in the real world. > Zone transfers are accomplished very easily by other means. > > How about this .. you run a nameserver that answers both TCP and UDP. I'll > run one that answers only UDP. Which do you think will happen first: you > get hacked, or I get a complaint? Obviously I'd bet on the former. > > Or how about logging the number of valid requests you get on TCP/53 versus > the number of attempted exploits? What do you think the ratio will be? > Just about zero. > > My logs show a constant barrage of hackers looking for DNS vulnerabilities > via TCP. I can't recall the last time someone tried to hack in to my > machine via UDP. > > Running an RFC compliant nameserver is fine and dandy if you are on a > private LAN but I wouldn't do it on the internet. Is my nameserver broken? > It's not 100% compliant with the RFCs. But it works, I've never gotten a > compliant, and it will most likely not get hacked. > > Of course it's possible to get hacked via UDP. It's also possible that > someone will find an exploit for one of my other services. But neither is > very likely. > > -- > Unplug and get connected: http://www.seattlewireless.net/ >
