Re: large organization nameservers sending icmp packets to dns servers.

North American Network Operators Group

Re: large organization nameservers sending icmp packets to dns servers.

From: David Conrad
Date: Wed Aug 08 13:03:51 2007

On Aug 8, 2007, at 8:59 AM, Jamie Bowden wrote:

How is answering a query on TCP/53 any MORE dangerous than answering it on UDP/53? Really. I'd like to know how one of these security nitwits justifies it. It's the SAME piece of software answering the query either way.

How many bytes of shell code can you stuff in a 512 byte DNS UDP packet?

How many bytes of shell code can you stuff in a TCP DNS connection?

Rgds,
-drc

P.S. I still think blocking TCP/53 is stupid.

Follow-Ups:
- Re: large organization nameservers sending icmp packets to dns servers. Doug Barton

References:
- Re: large organization nameservers sending icmp packets to dns servers. John Levine
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams
- RE: large organization nameservers sending icmp packets to dns servers. Donald Stahl
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl
- Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard
- RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden

Prev by Date: Re: large organization nameservers sending icmp packets to dns servers.
Next by Date: Re: large organization nameservers sending icmp packets to dns servers.
Date Index
Thread Index
Author Index
Historical