North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: large organization nameservers sending icmp packets to dns servers.

  • From: Joe Abley
  • Date: Wed Aug 08 12:45:16 2007



On 8-Aug-2007, at 11:59, Jamie Bowden wrote:

I have a question related to what you posted below, and it's a pretty
simple one:

How is answering a query on TCP/53 any MORE dangerous than answering it
on UDP/53? Really. I'd like to know how one of these security nitwits
justifies it. It's the SAME piece of software answering the query
either way.

There are people (I believe; this is a little rumour-laden) who take the approach that 53/tcp is actually safer than 53/udp, since the handshake makes it easier to believe the query's source address. The approach I heard about was to reply to UDP-transport queries with some minimal answer set with TC set, and serve a more useful set of information over TCP once the re-query arrives.


[I realise that the state involved in handing TCP queries on a busy server is non-trivial, and that there are many aspects to this approach which deserve raised eyebrows.]

However, my point is that "TCP is more secure than UDP" also has a posse.


Joe