[Snort-users] Snort 2.0.4 CPU Utilization\Optimization
Jason.Haar at ...294...
Fri Nov 21 20:34:05 EST 2003
Matt Kettler said:
> DNS can be done over TCP as well as UDP, although TCP is much less
> common most DNS servers support both. Usually TCP is only used for
> larger queries like large zone transfers.
DNS zone transfers are *exclusively* done over TCP - never UDP. If you
don't need zone transfers, and know that your DNS records are non-complex
(no chaining CNAMEs, only a few MX records/etc), then in fact no-one even
needs to do TCP-based DNS queries off you either. TCP is only used for
large answers (I think the DNS server gives a partial answer over UDP, and
then the client re-tries the same query over TCP, where they receive the
full answer. TCP of course is reliable - so is used for large answers and
For years I have been running our DMZ DNS servers as UDP-only (i.e.
firewall allows UDP port 53 only), and no-one has any issues doing DNS
lookups against us. Obviously I still have to allow our DNS caching
servers to do both TCP and UDP outbound - as there are some records that
are too large for UDP - so TCP is used. (getting a bit OT here ;-)
> It's also a preferred connection method when exploiting DNS servers,
> since it's easier to get a shell on a two-way connection.
Yup - that's why it was really nice to drop it all together :-)
More information about the Snort-users