Re: [secdir] secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Oct 1, 2007, at 9:24 PM, Mark Andrews wrote:


Note that in real deployments just this behavior has broken things
on occasion, as many firewall and other such policy application points
assume things like DNS resolution will only be UDP/53 transactions.

	That assumption has always been wrong.

Not in my experience.

Actually, there are two separate things here.  One, is implementation/
product, the other is configuration and device administration.  I'm not
sure how your average user would separate the two from a practical
standpoint, and it really doesn't matter.

I'm aware of at two products in the last few months that, in production
deployment forced TCP switch-over, only to find that this broke name
resolution completely for a large pool of subscribers.

In addition, in my own experience, more often than not when folks
clamp down firewall policies, in particular in enterprise or "restricted"
space, they often deny all TCP/53 to address spaces (in one case the
culprit for the brokenness above).

Another common place to see policies that block TCP/53 is roaming
access points captive user environments.  E.g., SSH tunneling over
DNS was easy enough over UDP.

To further support my statement, just google for +"firewall policy"
+TCP/53 +DNS, here are a few examples:

http://www.whitehats.ca/downloads/cerberus/Rick_Wanner_GCFW.pdf

Service: The enabled service is DNS (domain-udp, port 53/udp). Firewall-1’s DNS service by default contains both domain-udp (53/udp) and domain-tcp (53/tcp). We have removed domain- tcp from the object definition, on the grounds that we will not be permitting zone transfers. It will be necessary to watch carefully since removing domain-tcp also means that long dns-queries will not be supported. It is important to note that this will not work unless “Accept UDP replies” is enabled on the Firewall-1 Security Properties screen. Without “Accept UDP replies” enabled, the queries will still be allowed through the firewall, but the replies will be dropped on the firewall.

http://security.ucdavis.edu/basic_firewall_rules.pdf:

Allow DNS (UDP 53) to internal DNS server – If the unit runs internal DNS servers this rule is recommended. The rule is needed if a Windows Active Directory server is hosted on the internal network. You must permit TCP 53 for zone transfer capability, however
this permission should not be applied by default.

Right or wrong, it's quite common.

	I would also dispute the "many" above.   Most firewalls
	actually handle the transition to TCP perfectly fine.  There
	are the odd few that are misconfigured.  When that happens
	people complain because nameservers resolution fails.  Either
	the dataset is "fixed" or the firewall is fixed.

I'd be quite interested in any pointers you might have to empirical
evidence supporting this position.  I don't believe it's an odd few
that are misconfigured, I believe it's often done as a conscious
effort.

-danny
_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]