[Snort-users] Snort 2.0.4 CPU Utilization\Optimization

Jason Haar Jason.Haar at ...294...
Fri Nov 21 20:34:05 EST 2003

Matt Kettler said:
> DNS can be done over TCP as well as UDP, although TCP is much less
> common  most DNS servers support both. Usually TCP is only used for
> larger queries  like large zone transfers.

DNS zone transfers are *exclusively* done over TCP - never UDP. If you
don't need zone transfers, and know that your DNS records are non-complex
(no chaining CNAMEs, only a few MX records/etc), then in fact no-one even
needs to do TCP-based DNS queries off you either. TCP is only used for
large answers (I think the DNS server gives a partial answer over UDP, and
then the client re-tries the same query over TCP, where they receive the
full answer. TCP of course is reliable - so is used for large answers and
zone transfers).
For years I have been running our DMZ DNS servers as UDP-only (i.e.
firewall allows UDP port 53 only), and no-one has any issues doing DNS
lookups against us. Obviously I still have to allow our DNS caching
servers to do both TCP and UDP outbound - as there are some records that
are too large for UDP - so TCP is used. (getting a bit OT here ;-)

> It's also a preferred connection method when exploiting DNS servers,
> since  it's easier to get a shell on a two-way connection.

Yup - that's why it was really nice to drop it all together :-)


More information about the Snort-users mailing list