[Snort-sigs] Question Alert 1948

Erick Mechler emechler at ...1653...
Sat Jul 19 12:44:12 EDT 2003


:: I think someone addressed this some time ago, and if memory serves, either
:: udp or tcp can be used for transfers. I believe the comment was something about
:: zone size; if a zone transfer is very small, udp is used, otherwise tcp is
:: used. (My memory might be less then accurate here.)

See section 4.2.1 of RFC 1035:

   UDP is not acceptable for zone transfers, but is the recommended method
   for standard queries in the Internet.

However, RFC 1995 defines incremental zone transfers, aka IXFR (supported
by BIND 8.2.3 and greater, I believe...but hopefully you're not running
that old of a version anyway) which are allowed to use the UDP protocol
before failing back to TCP.

I'm only guessing here, but perhaps the original intent of the signature
was to help DNS admins catch misconfigurations in their config files.  
IXFR and XFER are treated separately in BIND, so disabling one doesn't
necessarily disable the other.

Cheers - Erick




More information about the Snort-sigs mailing list