On Oct 1, 2007, at 9:24 PM, Mark Andrews wrote:
Note that in real deployments just this behavior has broken things
on occasion, as many firewall and other such policy application
points
assume things like DNS resolution will only be UDP/53 transactions.
That assumption has always been wrong.
Not in my experience.
Actually, there are two separate things here. One, is implementation/
product, the other is configuration and device administration. I'm not
sure how your average user would separate the two from a practical
standpoint, and it really doesn't matter.
I'm aware of at two products in the last few months that, in production
deployment forced TCP switch-over, only to find that this broke name
resolution completely for a large pool of subscribers.
In addition, in my own experience, more often than not when folks
clamp down firewall policies, in particular in enterprise or
"restricted"
space, they often deny all TCP/53 to address spaces (in one case the
culprit for the brokenness above).
Another common place to see policies that block TCP/53 is roaming
access points captive user environments. E.g., SSH tunneling over
DNS was easy enough over UDP.
To further support my statement, just google for +"firewall policy"
+TCP/53 +DNS, here are a few examples:
http://www.whitehats.ca/downloads/cerberus/Rick_Wanner_GCFW.pdf
Service: The enabled service is DNS (domain-udp, port 53/udp).
Firewall-1’s DNS service by
default contains both domain-udp (53/udp) and domain-tcp (53/tcp).
We have removed domain-
tcp from the object definition, on the grounds that we will not be
permitting zone transfers. It will
be necessary to watch carefully since removing domain-tcp also means
that long dns-queries will
not be supported. It is important to note that this will not work
unless “Accept UDP replies” is
enabled on the Firewall-1 Security Properties screen. Without
“Accept UDP replies” enabled, the
queries will still be allowed through the firewall, but the replies
will be dropped on the firewall.
http://security.ucdavis.edu/basic_firewall_rules.pdf:
Allow DNS (UDP 53) to internal DNS server – If the unit runs internal
DNS servers this
rule is recommended. The rule is needed if a Windows Active Directory
server is hosted
on the internal network. You must permit TCP 53 for zone transfer
capability, however
this permission should not be applied by default.
Right or wrong, it's quite common.
I would also dispute the "many" above. Most firewalls
actually handle the transition to TCP perfectly fine. There
are the odd few that are misconfigured. When that happens
people complain because nameservers resolution fails. Either
the dataset is "fixed" or the firewall is fixed.
I'd be quite interested in any pointers you might have to empirical
evidence supporting this position. I don't believe it's an odd few
that are misconfigured, I believe it's often done as a conscious
effort.
-danny
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf