From: Hudson Delbert J Contr 61 CS/SCBN <Delbert.Hudson@LOSANGELES.AF.MIL>
To: "'Mark-Walter@t-online.de'" <Mark-Walter@t-online.de>,
netfilter@lists.netfilter.org
Subject: RE: RFC 1035 Bind
Date: Tue, 9 Nov 2004 11:22:47 -0800 [thread overview]
Message-ID: <29F6FAF7F2C0D41190980002A513591E0E473235@FSNSAB30> (raw)
use of port 53 is for zone transfers between dns servers and for when dns
tries to mux up traffic over tcpmux service on tcp port 1.
if one is defining what dns traffic to allow internally trhen in order to
prevent a bunch of needless coding include tcp port 53 in your plans
else you aewe asking for resolution problem down the road.
4.2.2. TCP usage
Messages sent over TCP connections use server port 53 (decimal). The message
is prefixed with a two byte length field which gives the message length,
excluding the two byte length field. This length field allows the low-level
processing to assemble a complete message before beginning to parse it. this
is an advantage as this extends the bogus 512 byte limit set by udp.
as far as connectivity management, the dns server should not block other
activities waiting for TCP data and should support multiple connections,
should assume that the client will initiate
close a dormant connection to reclaim resources, it wait 120 seconds of idle
time before killing the connex.
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of
Mark-Walter@t-online.de
Sent: Tuesday, November 09, 2004 11:02 AM
To: netfilter@lists.netfilter.org
Subject: RFC 1035 Bind
Hi,
there's quite a lot to read about open UPD and TCP port for DNS
queries.
I read an article from a tech guru from microsoft as follow:-)
http://certcities.com/editorial/columns/story.asp?EditorialsID=144&page=2
As I understand RFC 1035 answering packet's over TCP are truncated
at a limit of 512 bytes but it could be more ...
Isn't it the comparing this document the best way while using
UDP to DROP TCP packets over port 53 and to allow only UDP port
53 at it does not use the IP protocol ?
Ok, I know there could be a problem in the inside of a webserverfarm
and you need to allow both protocols and he is refering to this
but generally I would like prefer to avoid TCP over port 53 concerning
to avoid a man-in-the-middle attack.
--
Best Regards, Mark.
"Hello, I am brand new to meditation, and I have a frustrating habit of
falling asleep in class. I don't know how to stop this. When my teacher
tells us to relax our bodies and focus on breathing, my body relaxes, but so
does my brain."
next reply other threads:[~2004-11-09 19:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-09 19:22 Hudson Delbert J Contr 61 CS/SCBN [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-11-09 21:42 RFC 1035 Bind Hudson Delbert J Contr 61 CS/SCBN
2004-11-09 19:02 Mark-Walter
2004-11-09 21:10 ` a.ledvinka
2004-11-09 21:56 ` Aleksandar Milivojevic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29F6FAF7F2C0D41190980002A513591E0E473235@FSNSAB30 \
--to=delbert.hudson@losangeles.af.mil \
--cc=Mark-Walter@t-online.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.