On Mon, Jun 07, 2004 at 02:27:10PM -0700, Michel Py wrote:
I wrote "queries", not "transfers". To begin with, I looked at customers
access-lists this morning WRT DNS and I have not found a single one that
allowed DNS over TCP except for a little number of other DNS servers
that are known to transfer zones with the DNS server protected by the
So all of their firewalls are broken. Gotcha. :)
have to explain me how you do that. At this point in time DNS queries
over TCP are not an option because a) they are largely untested and b)
they are blocked by almost every access-list in the world.
Says you. To me, it sounds like the admin doesn't know DNS does UDP
and TCP. (to note: every firewall I've ever setup or taken over supports
UDP and TCP, and all firewall appliances I've seen understand both should
be allowed when you say "service dns"...)
Note that it says permit udp, not permit tcp or permit ip.
Then they're broken IMHO. The RFC is very clear that TCP is going
to happen sometimes, although it technically only specifies that
servers/clients "SHOULD" do TCP if the UDP response is truncated:
http://www.faqs.org/rfcs/rfc1123.html
6.1.3.2 Transport Protocols
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first. If the
Answer section of the response is truncated and if the
requester supports TCP, it SHOULD try the query again using
TCP.
[... snipped very nice discussion section ...]
However, it is also clear that some new DNS record
types defined in the future will contain information
exceeding the 512 byte limit that applies to UDP, and
hence will require TCP. Thus, resolvers and name
servers should implement TCP services as a backup to
UDP today, with the knowledge that they will require
the TCP service in the future.
http://www.faqs.org/rfcs/rfc1035.html
4.2. Transport
The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit. While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance. Zone refresh activities
must use virtual circuits because of the need for reliable transfer.
The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal).
4.2.1. UDP usage
Messages sent using UDP user server port 53 (decimal).
Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers). Longer messages are truncated and the TC bit is set in
the header.
http://www.faqs.org/rfcs/rfc1912.html
[...] You also run the risk of overflowing the 512- byte limit of a
UDP packet in the response to an NS query. If this happens, resolvers
will "fall back" to using TCP requests, resulting in increased load
on your nameserver.
--
Randomly Generated Tagline:
"To round out this virtual experience I recommend removing one of your
socks and using it as a hand puppet. Hold the puppet up to one ear and
have it say things like "This one's really funny!" followed by a loud
maniacal laugh. (But sometimes, just for realism, have the sock say "I
don't get it" in a soft whiney voice.)" - Dilbert Homepage
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
pgp6hgr6CnM94.pgp
Description: PGP signature