Security Advisory on TCP connections to DNS
Tom Marshall
tommy@home.tig-grr.com
Fri, 11 Jan 2002 15:31:59 -0800
On Fri, Jan 11, 2002 at 07:49:45PM +0100, Maciej Soltysiak wrote:
> Hi,
>
> I stand corrected.
>
> Unfortunatelly, my knowledge was based on "TCP/IP Illustrated" which
> states nothing about TCP with DNS. It states that if the payload is over
> 512 bytes, the TC (Truncated) bit is set.
>
> I have read some documentation and searched the web.
>
> Thanks.
>
> Nevertheles i have a question: How common are TCP Queries?
> The idea you proposed (adding 40 records) makes TCP Replies, which are not
> the case of security, as our trusted machine sends them.
In practice, it is extremely rare for a DNS packet to exceed 512 bytes. You
should be able to determine if your DNS server will ever generate an
oversized reply by examining the data in your zone files and doing a bit of
experimentation. If you don't do round-robin DNS with a huge server farm or
have exceedingly long hostnames (FQDNs over 100 characters), chances are
that you will never see an oversized DNS packet.
None of my zone files are such that a valid DNS request or response will
ever exceed 512 bytes, so I block TCP/53 on my DNS server. I also do fairly
extensive firewall logging and the exploit attempts seem to go in waves.
Usually once or twice per week, I will see a rash of about a dozen
connection attempts on TCP/53.