Re: The old chestnut - is TCP necessary?

> On Thu, Sep 16, 2004 at 09:20:03PM +0100, Marc Thach Xuan Ky wrote:
> > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> > firewall people are not keen to do this. Telling them that "the
> > firewall is broken" unfortunately does not sway them. My friend needs
> > examples of real Internet domain lookups that truncate and require TCP.
> > Does anybody out there know of any?
>
> Why does it matter what other people have? Does your friend have a need for
> TCP DNS? If so, he should be able to demonstrate the need based on his own
> requirements, rather than someone else's requirements.
>
> -roy


If he has permission to run the nameserver that should
give him permission to have the transports (plural) required
to operate the nameserver correctly as designed. DNS is
one of the few protocols that uses multiple transports
and the clients switch between them based on need / activity.

QUERY:
UDP then TCP if the answer doesn't fit except for AXFR
which starts out TCP and IXFR which is usually starts
with TCP but can start with UDP and switch if the answer
doesn't fit.

UPDATE:
TCP recommended but will operate over UDP.

What the security people should be worring about is does
he have a nameserver with no known compromises. Is he on
a list where he will learn of any security flaws in his
server if/when they come up and what is the policy when this
occurs.

He should be asking his firewall people. Are your firewalls
EDNS aware? Can you set the allowed DNS/UDP messages size
to 4096 (if he is running a modern named)?

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org