First: if you don't allow TCP queries, then you're going to break lots of recent applications for DNS. Second: unless your server and resolver support EDNS0, there is no way to increase the size of a UDP response, and even then, it's not large enough for many applications (ENUM, TXT, APL, etc.). TCP response to queries has been specified since RFC1035. The maximum message size is limited to 65535 bytes (due to the 16bit message size field before the header). RE the Cisco questions: this would not be the first time Cisco lagged in supporting enhanced services on the network.
-----Original Message----- From: Jon Kibler [mailto:Jon.Kibler@aset.com] Sent: Friday, June 13, 2008 11:52 AM To: Kevin Oberman Cc: nanog@merit.edu Subject: Re: DNS problems to RoadRunner - tcp vs udp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kevin Oberman wrote:
If it does not, you should be very concerned. The RFCs
I'll point first to good old 1122) allow either TCP or UDP to be used for any operation that will fit in a 512 byte transfer. (EDNS0 allows larger UDP.)
TCP is to be used any time a truncated bit is set in a replay. If you ever send a large reply that won't fit in 512 bytes, the request will be repeated using a TCP connection. If you ignore these, your DNS is broken. It is even allowed under the spec to start out with TCP, as AXFR queries typically do.
Yes, I realize that this is fairly common and it does not break much, but, should DNSSEC catch on, you might just find the breakage a bit worse than it is today and there is no reason to have even
(several, but the slight
breakage that is there now.
Okay, I stand corrected. I was approaching this from a security perspective only, and apparently based on incorrect information.
But this leaves me with a couple of questions:
Various hardening documents for Cisco routers specify the best practices are to only allow 53/tcp connections to/from secondary name servers. Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only handle UDP data connections and anything TCP would be denied. From what you are saying, the hardening recommendations are wrong and that CBAC may break some DNS responses. Is this correct?
Also, other than "That's what the RFCs call for," why use TCP for data exchange instead of larger UDP packets?
Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224
My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhSwc4ACgkQUVxQRc85QlPzkACeOuKS3ni0uTNrjpcjY2tOZmc5 wbcAn1T85g7sBXkjOsWFENxWAtnT/kny =GlaW -----END PGP SIGNATURE-----
================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.