Hi Jason,
        Stevens says, "When the resolver issues a query and the response
comes back with the TC bit set ("truncated") it means the size of the
response exceeded 512 bytes, so only the first 512 bytes were returned by
the server. The resolver normally issues the request again, using TCP.
This allows more than 512 bytes to be returned."
        Now when you mention 'blocking' it, I assume you're talking about
blocking TCP 53 from external networks incoming to your internal network(s)
with some sort of firewall device. So, if you have any host entries in
which the data returned to resolver is greater than 512 bytes (fairly common
for large round robin entries), then it could possibly break resolution or
at least cripple functionality for some external users depending on how
their DNR handles the absence of TCP DNS resolution.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice 502-564-2020x225
E-mail agetchelkde.state.ky.us
Web http://www.kde.state.ky.us/

> -----Original Message-----
> From: Jason Lewis [mailto:jlewisJASONLEWIS.NET]
> Sent: Saturday, May 05, 2001 12:36 PM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: DNS ports and scans
>
>
> DNS queries are on UDP port 53. TCP port 53 is used for zone
> transfers. By
> blocking TCP port 53 I can't do zone transfers, but clients
> can still do
> lookups on UDP 53. Since I have blocked TCP port 53, I have
> seen a decrease
> in attack attempts on my name servers, primarily because that
> port isn't
> open. I do still see scans for the DNS ports, but nothing
> more than a port
> scan.
>
> My question is...Can anyone come up with any pros/cons of doing this?
>
> My name servers are successfully serving my domains, so I don't see a
> downside. Thoughts?
>
> Jason Lewis
> http://www.rivalpath.com
> "All you can do is manage the risks. There is no security."
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]