Disable TCP/53

[Tan Chun Han/ITNOC/PBB/PBBG]

Hi, our firewall keeps detecting and rejecting TCP/53 queries.
Does bind by default use TCP/53 and UDP/53? Is there any way to disable
TCP/53, thus enabling UDP/53?

[Mark_A...@isc.org]

>
> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
> Does bind by default use TCP/53 and UDP/53? Is there any way to disable
> TCP/53, thus enabling UDP/53?

If your firewall keeps getting queries for TCP/53 then in all
probability you are sending back responses that require TCP
to complete. DNS defaults to using UDP and only uses TCP if
it is required (AXFR, answer too large to fit in a UDP response)
or is specifically requested.

Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org

[Jim Reid]

>>>>> "Tan" == Tan Chun Han/ITNOC/PBB/PBBG <ta...@publicbank.com.my> writes:

Tan> Hi, our firewall keeps detecting and rejecting TCP/53
Tan> queries. Does bind by default use TCP/53 and UDP/53?

Yes. So does any name server that complies with the DNS protocol. Read
RC1035. Here's an excerpt:

4.2. Transport

The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal).

Tan> Is there any way to disable TCP/53, thus enabling UDP/53?

No. [Not that disabling TCP/53 could somehow automagically enable
UDP/53 anyway.] Name servers are supposed to accept queries on port 53
from both TCP and UDP. That's what the DNS protocol says. Your
firewall is broken. Fix it.

[p...@icke-reklam.ipsec.nu]

Your firewall is errounesly denying TCP/53

Fix the fw config and the messages will go away.

--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.

[Tan Chun Han/ITNOC/PBB/PBBG]

hi phn, as far as i know, DNS should use UDP/53 only and not TCP, that =
is
why
our FW is configured for UDP, unless there's zone transfers. as for our=

case, this
is only our Internal DNS for it to resolve MX records and www addresses=
.
therefore we don't need TCP/53 for name server resolving.

thanks and regards

p...@icke-reklam.ipsec.nu@isc.org on 21/02/2002 02:26:16 PM

Sent by: bind-use...@isc.org

To: comp-protoc...@isc.org
cc:

Subject: Re: Disable TCP/53

Tan Chun Han/ITNOC/PBB/PBBG <ta...@publicbank.com.my> wrote:

> Hi, our firewall keeps detecting and rejecting TCP/53 queries.

> Does bind by default use TCP/53 and UDP/53? Is there any way to disab=

le
> TCP/53, thus enabling UDP/53?

Your firewall is errounesly denying TCP/53

Fix the fw config and the messages will go away.

--
Peter H=E5kanson
IPSec Sverige (At the Riverside of Gothenburg, home of Vo=
lvo)
Sorry about my e-mail address, but i'm trying to keep spam o=

ut.
Remove "icke-reklam" and it works.

=

[George Young]

George Young / G-L Data, Inc / Morristown, NJ / 732.433.7900

[Danny Mayer]

At 01:49 AM 2/21/02, Tan Chun Han/ITNOC/PBB/PBBG wrote:

>hi phn, as far as i know, DNS should use UDP/53 only and not TCP, that =
>is
>why
>our FW is configured for UDP, unless there's zone transfers. as for our=
>
>case, this
>is only our Internal DNS for it to resolve MX records and www addresses=
>.
>therefore we don't need TCP/53 for name server resolving.

Then your FW configuration is broken. DNS listens on both TCP/53 and UDP/53
and is required to do so. There are a number of cases where the UDP
packet is too small for the response to the query, so the truncation bit is set
on the response so that the request may retry using TCP.

Danny

[p...@icke-reklam.ipsec.nu]

Tan Chun Han/ITNOC/PBB/PBBG <ta...@publicbank.com.my> wrote:

> hi phn, as far as i know, DNS should use UDP/53 only and not TCP, that =
> is
> why
> our FW is configured for UDP, unless there's zone transfers. as for our=

> case, this
> is only our Internal DNS for it to resolve MX records and www addresses=
> .
> therefore we don't need TCP/53 for name server resolving.

> thanks and regards

Nope, DNS is defined to use UDP and TCP ( tcp is free to use, and
is needed in case truncation occurs).

So go back and fix that FW, it's broken as it's configured now.

peter h

> p...@icke-reklam.ipsec.nu@isc.org on 21/02/2002 02:26:16 PM

> Sent by: bind-use...@isc.org

> To: comp-protoc...@isc.org
> cc:

> Subject: Re: Disable TCP/53

> Tan Chun Han/ITNOC/PBB/PBBG <ta...@publicbank.com.my> wrote:

>> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
>> Does bind by default use TCP/53 and UDP/53? Is there any way to disab=
> le
>> TCP/53, thus enabling UDP/53?

> Your firewall is errounesly denying TCP/53

> Fix the fw config and the messages will go away.

> --
> Peter H=E5kanson
> IPSec Sverige (At the Riverside of Gothenburg, home of Vo=
> lvo)
> Sorry about my e-mail address, but i'm trying to keep spam o=
> ut.
> Remove "icke-reklam" and it works.

> =

--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.

[Joseph S D Yao]

On Thu, Feb 21, 2002 at 02:49:10PM +0800, Tan Chun Han/ITNOC/PBB/PBBG wrote:
> hi phn, as far as i know, DNS should use UDP/53 only and not TCP, that =
> is
> why
> our FW is configured for UDP, unless there's zone transfers. as for our=
> case, this
> is only our Internal DNS for it to resolve MX records and www addresses=
> .
> therefore we don't need TCP/53 for name server resolving.

As you've been told many times, your knowledge is limited, and DNS
_does_ use TCP 53 for more than just zone transfers.

--
Joe Yao js...@center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.

[dave.go...@intelsat.com]

There have been a number of responses in the line of "your firewall is
broken -- fix it". This is not necessarily the case. DNS uses TCP for two
reasons. The first is zone transfers, the second is to return responses to
queries that are too large to fit in a UDP packet.

Regarding zone transfers, you should only allow authorized external
secondary DNS servers to do a zone transfer from your server. Two security
settings can be applied here. On the DNS server, you can specify a list of
servers authorized to pull zone files. If you have a firewall of some sort,
you can also restrict access to TCP/53 to your DNS server to the same list
of authorized secondaries. Restricting access to TCP/53 on the firewall
will interfere with the ability to use TCP for large query response but most
people don't have DNS records so complex or numerous that the responses
don't fit in UDP response packets.

Dave Goldsmith

> -----Original Message-----
> From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:ta...@publicbank.com.my]
> Sent: Wednesday, February 20, 2002 9:15 PM
> To: bind-...@isc.org
> Subject: Disable TCP/53
>
> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
> Does bind by default use TCP/53 and UDP/53? Is there any way

> to disable
> TCP/53, thus enabling UDP/53?

############################################################
This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and
destroy all copies of the original message. Any views
expressed in this message are those of the individual
sender, except where the sender specifically states them
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################

[Kevin Darcy]

What are you so paranoid about? We've had zone-transfers open for years and not
once have we suffered from an AXFR DoS attack. Is all the maintenance of those
firewall rules buying your organization any real security, or is it just
feeding some PHB's gnawing case of paranoia? How many times have you had zone
transfers *break* because an off-site slave re-addressed their server and
forget to tell you about it?

Oh, and what do you plan to *if* some day your DNS maintainers decide to create
an RRset which will cause responses to overflow 512 bytes? Will you get enough
advance notice so that you can modify your firewall rules accordingly, or will
things just break unexpectedly?

If you're *that* paranoid about zone transfers, then use TSIG to restrict
access. But leave TCP/53 open on the firewalls. That's the only practical
option, IMO.

- Kevin

[Jim Reid]

>>>>> "dave" == dave goldsmith <dave.go...@intelsat.com> writes:

dave> Regarding zone transfers, you should only allow authorized
dave> external secondary DNS servers to do a zone transfer from
dave> your server. Two security settings can be applied here. On
dave> the DNS server, you can specify a list of servers authorized
dave> to pull zone files. If you have a firewall of some sort,
dave> you can also restrict access to TCP/53 to your DNS server to
dave> the same list of authorized secondaries. Restricting access
dave> to TCP/53 on the firewall will interfere with the ability to
dave> use TCP for large query response but most people don't have
dave> DNS records so complex or numerous that the responses don't
dave> fit in UDP response packets.

While this is true it does not mean that it's OK to block or refuse
TCP queries to port 53. Some applications that make lots of lookups --
like netstat -- can use a TCP connection for their queries.

[p...@icke-reklam.ipsec.nu]

dave.go...@intelsat.com wrote:

> There have been a number of responses in the line of "your firewall is
> broken -- fix it". This is not necessarily the case. DNS uses TCP for two
> reasons. The first is zone transfers, the second is to return responses to
> queries that are too large to fit in a UDP packet.

The third is to answer queries that has beeen done using TCP.

Remember that one of the big irons once had a version of their un*x that
actually defaulted to TCP. Blocking TCP would prevent all of these
from ever asking such a nameserver.

And it's no option either, it's specifially required
( rfc1123 6.1.3.2 Transport Protocols)

> Regarding zone transfers, you should only allow authorized external
> secondary DNS servers to do a zone transfer from your server. Two security
> settings can be applied here. On the DNS server, you can specify a list of
> servers authorized to pull zone files. If you have a firewall of some sort,
> you can also restrict access to TCP/53 to your DNS server to the same list
> of authorized secondaries. Restricting access to TCP/53 on the firewall
> will interfere with the ability to use TCP for large query response but most
> people don't have DNS records so complex or numerous that the responses
> don't fit in UDP response packets.

Unless one uses some broken implementations of dynamic update that
causes multiple records of the same "key" , this may easily create
lots of records too big for an UDP answer.

> Dave Goldsmith

>> -----Original Message-----
>> From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:ta...@publicbank.com.my]
>> Sent: Wednesday, February 20, 2002 9:15 PM
>> To: bind-...@isc.org
>> Subject: Disable TCP/53
>>
>> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
>> Does bind by default use TCP/53 and UDP/53? Is there any way
>> to disable
>> TCP/53, thus enabling UDP/53?
>

> ############################################################
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and
> destroy all copies of the original message. Any views
> expressed in this message are those of the individual
> sender, except where the sender specifically states them
> to be the views of Intelsat, Ltd. and its subsidiaries.
> ############################################################

[Dave Anderson]

As people with much better knowledge than I have already said, a
nameserver must listen and reply on port 53 for both UDP and TCP.

If you want (or are required) to be very paranoid about this, the
obvious thing to do is to contract with someone outside your firewall to
provide nameservice for you. If the only reason for not doing this is
that you want to be able to update your zones without going through a
third party, a technique which seems to work well is to contract for
secondary nameservice only and run a hidden primary nameserver inside
your firewall with the firewall configured to block all incoming traffic
for port 53 (both TCP and UDP) unless it is between the outside
secondary nameservers and your hidden primary nameserver. [To allow
blocking all other UDP/53 traffic you must also configure all systems
inside your firewall to send DNS requests to a small number of
nameservers inside the firewall, configure those nameservers to forward
all requests for which they are not authoritative to some small number
of nameservers outside the firewall (here again, you'll need to contract
with someone), and configure the firewall to also allow incoming UDP
port 53 traffic from those outside namservers to the inside ones.] This
sounds complicated but (with the possible exception of contract issues)
is actually pretty straightforward.

Dave

--
Dave Anderson
<da...@daveanderson.com>

[Tan Chun Han/ITNOC/PBB/PBBG]

dave,

what you've mentioned was our exact config.
Another thing that i want to stress is, we are not being "paraniod" about
disabling TCP53!
Couldn't find an option to do that, so i posted it to the newsgroups.

Anyhow, thank you all for your valuable comments!

regards

da...@daveanderson.com@isc.org on 25/02/2002 11:34:44 PM

Please respond to da...@daveanderson.com

Sent by: bind-use...@isc.org

To: comp-protoc...@isc.org
cc:

Subject: Re: Disable TCP/53