[Snort-sigs] Question Alert 1948

Rich Adamson radamson at ...908...
Sun Jul 20 10:10:19 EDT 2003


> :: I think someone addressed this some time ago, and if memory serves, either
> :: udp or tcp can be used for transfers. I believe the comment was something about
> :: zone size; if a zone transfer is very small, udp is used, otherwise tcp is
> :: used. (My memory might be less then accurate here.)
> 
> See section 4.2.1 of RFC 1035:
> 
>    UDP is not acceptable for zone transfers, but is the recommended method
>    for standard queries in the Internet.
> 
> However, RFC 1995 defines incremental zone transfers, aka IXFR (supported
> by BIND 8.2.3 and greater, I believe...but hopefully you're not running
> that old of a version anyway) which are allowed to use the UDP protocol
> before failing back to TCP.
> 
> I'm only guessing here, but perhaps the original intent of the signature
> was to help DNS admins catch misconfigurations in their config files.  
> IXFR and XFER are treated separately in BIND, so disabling one doesn't
> necessarily disable the other.

Sounds like a perfectly good explanation to me. The only other possibility
is maybe some older versions of bind might have used udp, some versions 
did both even though the rfc's specify a "minimum" set of acceptable 
behaviors, or, some specific OS vendor went beyond the rfc (of coarse, that
never happens in reality). ;)

In any case, having an extra rule to cover udp (in addition to tcp) is not
likely a big issue, and if the rule never fires historically, remove it.

Rich






More information about the Snort-sigs mailing list