Re: DNS problems to RoadRunner - tcp vs udp

• From: Justin Shore
• Date: Fri Jun 13 16:02:32 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

Various hardening documents for Cisco routers specify the best practices
are to only allow 53/tcp connections to/from secondary name servers.
Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
handle UDP data connections and anything TCP would be denied. From what
you are saying, the hardening recommendations are wrong and that CBAC
may break some DNS responses. Is this correct?

Also, other than "That's what the RFCs call for," why use TCP for data
exchange instead of larger UDP packets?

• Follow-Ups:
  • Re: DNS problems to RoadRunner - tcp vs udp Justin Shore

• References:
  • Re: DNS problems to RoadRunner - tcp vs udp Kevin Oberman
  • Re: DNS problems to RoadRunner - tcp vs udp Jon Kibler

• Prev by Date: Re: .255 addresses still not usable after all these years?
• Next by Date: Re: DNS problems to RoadRunner - tcp vs udp
• Date Index
• Thread Index
• Author Index
• Historical