normanzhang
join:2004-09-03
Calgary, AB |  domain-tcp
I'm seeing some domain-tcp from my LAN (workstations) to DNS. Workstations are suppose to do domain-udp for nslookup and not domain-tcp. Does this mean these boxes are infected with trojan? |
|
B
Premium,MVM
join:2000-10-28
|
Sounds like quite a leap to me.
The last time this came up, it seemed that DNS queries can be EITHER TCP or UDP, depending in part on the size of the query packets. Or something like that. Google would likely tell all.
-- B
--
In a realm outside causality and function |
|
wintr
join:2004-10-13
Calgary, AB | reply to normanzhang
I belive DNS uses both tcp and udp. But I'm not qualified to speak on this one.
--
546f6f206d616e792073656372657473»augmentedreality.ca |
|
PetePuma
How many lumps do you want
Premium,MVM
join:2002-06-13
Arlington, VA | reply to normanzhang
DNS tries to use UDP, but will use TCP for any query returns that exceed the size of a single UDP packet. Both are necessary for a functional DNS system. |
|
normanzhang
join:2004-09-03
Calgary, AB | Thanks for the clarification. I'd always thought TCP is for domain transfer, and UDP is for domain lookup. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
2 edits | reply to normanzhang
said by PetePuma  :DNS tries to use UDP, but will use TCP for any query returns that exceed the size of a single UDP packet. Both are necessary for a functional DNS system. Nearly correct. In fact any DNS traffic that exceeds 512 bytes in size will move from UDP as its transport to TCP. Zone Transfers use TCP because they are usually above this limit.
--
cat knowledge | grep understanding |
|
B
Premium,MVM
join:2000-10-28
| So just querying on www.ANameLongerThanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiveHundred Charac tersIncludingDNSOverheadANameLongerThanFiveHundredCharactersIncludingDNSOverheadAN ameLongerT hanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiveHundredCharactersIn cludingDNS OverheadANameLongerThanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiv eHundredCh aractersIncludingDNSOverheadWhyAreYouStillReadingThisANameLongerThanFiveHundredCha ractersInc ludingDNSOverheadANameLongerThanFiveHundr.com
would generate a TCP session from the client side?
-- B
--
In a realm outside causality and function |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | said by B :So just querying on www.ANameLongerThanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiveHundred Charac tersIncludingDNSOverheadANameLongerThanFiveHundredCharactersIncludingDNSOverheadAN ameLongerT hanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiveHundredCharactersIn cludingDNS OverheadANameLongerThanFiveHundredCharactersIncludingDNSOverheadANameLongerThanFiv eHundredCh aractersIncludingDNSOverheadWhyAreYouStillReadingThisANameLongerThanFiveHundredCha ractersInc ludingDNSOverheadANameLongerThanFiveHundr.com would generate a TCP session from the client side? That's correct, sir (assuming that's 512 bytes).
--
cat knowledge | grep understanding |
|
wintr
join:2004-10-13
Calgary, AB
| But the domain wouldn't have to be 512 in length to force it, since there is overhead for the frame and what not.
Right?
--
546f6f206d616e792073656372657473»augmentedreality.ca |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: | Yeah, I think you're right. I think it goes by the size of the packet in its entirety, not just the DNS payload itself. My bad.
--
cat knowledge | grep understanding |
|
normanzhang
join:2004-09-03
Calgary, AB | From what I gathered, I would need to allow domain-tcp both ways for all hosts. As long as I setup DNS not to allow transfer of domain to others, then I'm fine? |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to normanzhang
I asked the question »[Kerio 2.x] DNS over TCP a while ago as to whether anyone had ever experienced this happening as part of their day to day behaviour. I may have had this occur maybe once when using my PC over its entire lifetime. I've come to the conclusion that this is so rare it is not worth allowing as a firewall rule. If you ask me, you should just allow UDP for DNS requests and let that be the end of it.
Even with weird and wonderful domain names it's difficult to do. |
|
