[Snort-sigs] Question Alert 1948
radamson at ...908...
Sun Jul 20 10:10:19 EDT 2003
> :: I think someone addressed this some time ago, and if memory serves, either
> :: udp or tcp can be used for transfers. I believe the comment was something about
> :: zone size; if a zone transfer is very small, udp is used, otherwise tcp is
> :: used. (My memory might be less then accurate here.)
> See section 4.2.1 of RFC 1035:
> UDP is not acceptable for zone transfers, but is the recommended method
> for standard queries in the Internet.
> However, RFC 1995 defines incremental zone transfers, aka IXFR (supported
> by BIND 8.2.3 and greater, I believe...but hopefully you're not running
> that old of a version anyway) which are allowed to use the UDP protocol
> before failing back to TCP.
> I'm only guessing here, but perhaps the original intent of the signature
> was to help DNS admins catch misconfigurations in their config files.
> IXFR and XFER are treated separately in BIND, so disabling one doesn't
> necessarily disable the other.
Sounds like a perfectly good explanation to me. The only other possibility
is maybe some older versions of bind might have used udp, some versions
did both even though the rfc's specify a "minimum" set of acceptable
behaviors, or, some specific OS vendor went beyond the rfc (of coarse, that
never happens in reality). ;)
In any case, having an extra rule to cover udp (in addition to tcp) is not
likely a big issue, and if the rule never fires historically, remove it.
More information about the Snort-sigs