DNS migration and folks that don't play nice

Paul Lussier p.lussier at comcast.net
Mon Apr 10 20:42:00 EDT 2006


kclark at mtghouse.com (Kevin D. Clark) writes:

> Bruce Dawson writes:
>
>> Add to this the fact that most BIND servers operate using UDP instead of
>> TCP, and its easy to understand how BIND servers could become
>> corrupt.
>
> How does the fact that a BIND server uses TCP instead of UDP make it
> more or less secure?
>
> (I don't know; this is why I ask)

I think it's more a reliability thing than security (though one could
argue reliability is part of good security...)

If you're name servers are receiving updates via UDP, it's far easier
to drop updates in the zone transfer since UDP is lacking everything
required to guarantee a complete transaction.  Moving your zone
transfers over to a TCP connection do a lot more to guarantee the
entire update completes correctly.

Note, though, usually, BIND is configured for zone transfers to occur
over TCP, not the average resolver query.  That still happen over UDP
as far as I know.
-- 

Seeya,
Paul



More information about the gnhlug-discuss mailing list