Ryan Malayter wrote:
I concur with Theo. Support for DNS-over-TCP should be
expected from most firewalls, per the DNS RFCs.
This has nothing to do with supporting the feature nor the RFCs;
obviously you are not familiar enough with Cisco configuration to have
grasped that the config I pasted was from a straight IOS named extended
access-list which does not have this kind of limitation. Today, even
el-cheapo gear supports at least TCP and UDP filtering by port.
Were they all set up from the same "default" configuration
file before deployment?
There is no default configuration file on a Cisco router or firewall;
not even a "default" one. I'm sorry to say it bluntly, but if you need
templates to configure a firewall you should not be configuring one in
the first place. Default configs or templates are designed to be
hassle-free, which means they don't block anything that could generally
happen at the network layer. This is not what the engineer that does
advanced router/firewall config do.
Each of the 16 flavors of SonicWall, WatchGuard, and Checkpoint/
Nokia devices I administer or define the "DNS protocol"
as TCP *or* UDP over port 53. I think perhaps your customers'
firewalls are misconfigured, Michel.
This is not misconfiguration, it's configuration that has been done
purposedly. I understand that there are exceptions but in no network
that I have seen myself there is a need for DNS replies that exceed 512
bytes to an unknown host therefore there is no need to open TCP/53
except to a small sets of semi-trusted hosts that are known to do things
such as zone transfers between a primary and a secondary, which do
require TCP.
I don't know on what planet you live, but one the one I do, the DNS
server might be in a room where you need the triple combination of a
card, a pin and an iris scan to get in, and where they weigh you on the
way in and on the way out (the place to take care of personal business
being before the mouse trap). The firewall might require written
authorization from a senior exec before being reconfigured. The bump
under the guard's jacket is not his wallet. There are three answers you
will get when asking to change _anything_ in the routing/firewall config
as related to DNS: no, no, and no.
I have looked at more routers in the afternoon; out of the 24 customer
router templates (2600-7500, which represent 400 routers) I looked at,
10 have initial config that comes from me, 14 have been done by the
customer and zero allow TCP/53 from an unknown source.
I understand that MARID might require DNS queries over TCP, allow me to
make my point again:
a) We are not talking about transfers, we are talking about queries.
b) Everybody I know is currently using DNS over UDP queries.
c) Nobody I know is currently using DNS over TCP queries.
d) Almost everybody I know is currently blocking DNS queries over TCP,
which does break any MARID scheme that uses DNS queries over TCP.
I repeat: as of today, in 99% of networks, there is not a _single_
reason to allow TCP/53 from untrusted hosts. Any port that's open
without a reason is plain stupidity. The security-minded (otherwise
known as "paranoid") network engineer work under two premises: a)
defense-in-depth and b) deny everything by default, which means you have
to come up with a hell of a good reason and sometimes CTO/VP approval
before any protocol/port combination is opened in the firewall and the
packet-based access-control system.
I don't care what the RFC says. TCP/53 is widely blocked because almost
nobody has used it for the last 10 years and since nobody has complained
about it it's going to remain blocked. Point #2: before you get my evil
twin to hear about it and my evil SVP to approve the firewall change,
it's not going anywhere. <hint>A case of '97 Sassacaia for zebigboss and
another one for me have occasionally helped to increase reduce the
administrative delay.</hint>
Theo Van Dinter wrote:
Says you. To me, it sounds like the admin
doesn't know DNS does UDP and TCP.
The admin whether it's me or the customer knows very well the difference
between TCP and UDP, and said admin does not open a TCP port that nobody
uses for the sole purpose of making the DNS server vulnerable to SYN
flood attacks and please the IETF, thank you.
Michel Py
CCIE #6673