named on udp ports only

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

named on udp ports only

Constantine A. Murenin
Hello,

I'm running an sshd on port 53 (domain) as there is some convenient
wireless hot-spot that allows for both udp and tcp connection on this
port without any authentication. :)

(Yes, there is not even a need for NSTX!)

How do I tell my named(8) to only listen on udp ports, and leave tcp
ports for sshd(8)? Is this at all possible with named.conf alone? I've
glanced through named.conf(5), but didn't find the desired option
there...

Thanks,
Constantine.

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Gilles Chehade
On Tue, 20 Jun 2006 16:07:25 +0100
"Constantine A. Murenin" <[hidden email]> wrote:

> Hello,
>
> I'm running an sshd on port 53 (domain) as there is some convenient
> wireless hot-spot that allows for both udp and tcp connection on this
> port without any authentication. :)
>
> (Yes, there is not even a need for NSTX!)
>
> How do I tell my named(8) to only listen on udp ports, and leave tcp
> ports for sshd(8)? Is this at all possible with named.conf alone? I've
> glanced through named.conf(5), but didn't find the desired option
> there...
>
> Thanks,
> Constantine.
>

can't you just use PF to redirect ?

-- veins

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Steven Shockley
In reply to this post by Constantine A. Murenin
Constantine A. Murenin wrote:
> How do I tell my named(8) to only listen on udp ports, and leave tcp
> ports for sshd(8)? Is this at all possible with named.conf alone? I've
> glanced through named.conf(5), but didn't find the desired option
> there...

If you can't do it with named, you could use pf to redir the incoming
TCP 53 connections to port 22.  Then there's no port conflict.

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Constantine A. Murenin
In reply to this post by Gilles Chehade
On 20/06/06, Gilles Chehade <[hidden email]> wrote:

> On Tue, 20 Jun 2006 16:07:25 +0100
> "Constantine A. Murenin" <[hidden email]> wrote:
>
> > Hello,
> >
> > I'm running an sshd on port 53 (domain) as there is some convenient
> > wireless hot-spot that allows for both udp and tcp connection on this
> > port without any authentication. :)
> >
> > (Yes, there is not even a need for NSTX!)
> >
> > How do I tell my named(8) to only listen on udp ports, and leave tcp
> > ports for sshd(8)? Is this at all possible with named.conf alone? I've
> > glanced through named.conf(5), but didn't find the desired option
> > there...
> >
> > Thanks,
> > Constantine.
> >
>
> can't you just use PF to redirect ?

I was thinking about that, but I wanted to make it more "proper". :)

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Gilles Chehade
On Tue, 20 Jun 2006 16:28:28 +0100
"Constantine A. Murenin" <[hidden email]> wrote:

> On 20/06/06, Gilles Chehade <[hidden email]> wrote:
> > On Tue, 20 Jun 2006 16:07:25 +0100
> > "Constantine A. Murenin" <[hidden email]> wrote:
> >
> > > Hello,
> > >
> > > I'm running an sshd on port 53 (domain) as there is some
> > > convenient wireless hot-spot that allows for both udp and tcp
> > > connection on this port without any authentication. :)
> > >
> > > (Yes, there is not even a need for NSTX!)
> > >
> > > How do I tell my named(8) to only listen on udp ports, and leave
> > > tcp ports for sshd(8)? Is this at all possible with named.conf
> > > alone? I've glanced through named.conf(5), but didn't find the
> > > desired option there...
> > >
> > > Thanks,
> > > Constantine.
> > >
> >
> > can't you just use PF to redirect ?
>
> I was thinking about that, but I wanted to make it more "proper". :)
>

well, you are trying to do something quite disgusting, pf is probably
the most elegant way to do that ;)

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Constantine A. Murenin
On 20/06/06, Gilles Chehade <[hidden email]> wrote:

> On Tue, 20 Jun 2006 16:28:28 +0100
> "Constantine A. Murenin" <[hidden email]> wrote:
>
> > On 20/06/06, Gilles Chehade <[hidden email]> wrote:
> > > On Tue, 20 Jun 2006 16:07:25 +0100
> > > "Constantine A. Murenin" <[hidden email]> wrote:
> > >
> > > > Hello,
> > > >
> > > > I'm running an sshd on port 53 (domain) as there is some
> > > > convenient wireless hot-spot that allows for both udp and tcp
> > > > connection on this port without any authentication. :)
> > > >
> > > > (Yes, there is not even a need for NSTX!)
> > > >
> > > > How do I tell my named(8) to only listen on udp ports, and leave
> > > > tcp ports for sshd(8)? Is this at all possible with named.conf
> > > > alone? I've glanced through named.conf(5), but didn't find the
> > > > desired option there...
> > > >
> > > > Thanks,
> > > > Constantine.
> > > >
> > >
> > > can't you just use PF to redirect ?
> >
> > I was thinking about that, but I wanted to make it more "proper". :)
> >
>
> well, you are trying to do something quite disgusting, pf is probably
> the most elegant way to do that ;)

The machine in question doesn't run pf, and the DSL router that it is
connected to doesn't have the option to change ports... :(

So I'd like to settle this with named alone. :)

Thanks,
Constantine.

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

danno
In reply to this post by Constantine A. Murenin
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf
Of

> Constantine A. Murenin
> Sent: Tuesday, June 20, 2006 11:44 AM
> To: Gilles Chehade
> Cc: [hidden email]
> Subject: Re: named on udp ports only
>
> On 20/06/06, Gilles Chehade <[hidden email]> wrote:
> > On Tue, 20 Jun 2006 16:28:28 +0100
> > "Constantine A. Murenin" <[hidden email]> wrote:
> >
> > > On 20/06/06, Gilles Chehade <[hidden email]> wrote:
> > > > On Tue, 20 Jun 2006 16:07:25 +0100
> > > > "Constantine A. Murenin" <[hidden email]> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > I'm running an sshd on port 53 (domain) as there is some
> > > > > convenient wireless hot-spot that allows for both udp and tcp
> > > > > connection on this port without any authentication. :)
> > > > >
> > > > > (Yes, there is not even a need for NSTX!)
> > > > >
> > > > > How do I tell my named(8) to only listen on udp ports, and
leave

> > > > > tcp ports for sshd(8)? Is this at all possible with named.conf
> > > > > alone? I've glanced through named.conf(5), but didn't find the
> > > > > desired option there...
> > > > >
> > > > > Thanks,
> > > > > Constantine.
> > > > >
> > > >
> > > > can't you just use PF to redirect ?
> > >
> > > I was thinking about that, but I wanted to make it more "proper".
:)
> > >
> >
> > well, you are trying to do something quite disgusting, pf is
probably
> > the most elegant way to do that ;)
>
> The machine in question doesn't run pf, and the DSL router that it is
> connected to doesn't have the option to change ports... :(
>
> So I'd like to settle this with named alone. :)
>
> Thanks,
> Constantine.


Correct me if I'm wrong (and I usually am) but I thought DNS (and named
specifically) only used tcp connections for zone transfers.

If you only allow resolution and not zone transfers, named should only
communicate via UDP... no need for nasty pf work.



Dan Farrell
Applied Innovations
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Spruell, Darren-Perot
In reply to this post by Constantine A. Murenin
From: [hidden email]

> > The machine in question doesn't run pf, and the DSL router
> that it is
> > connected to doesn't have the option to change ports... :(
> >
> > So I'd like to settle this with named alone. :)
> >
> > Thanks,
> > Constantine.
>
>
> Correct me if I'm wrong (and I usually am) but I thought DNS
> (and named
> specifically) only used tcp connections for zone transfers.
>
> If you only allow resolution and not zone transfers, named should only
> communicate via UDP... no need for nasty pf work.

http://cr.yp.to/djbdns/tcp.html#why outlines cases where TCP is needed.
Large result sets (over 512 bytes) may qualify the use of TCP, but I'm not
clear on whether than means your named needs to bind to 53/tcp to handle
those correctly.

DS

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Wolfgang S. Rupprecht-47
In reply to this post by danno
"Dan Farrell" <[hidden email]> writes:
> Correct me if I'm wrong (and I usually am) but I thought DNS (and named
> specifically) only used tcp connections for zone transfers.

Last time I looked named used TCP any time a packet needed to be
fragmented due to size.  It is highly unlikely that the OP will have a
fully functional system after turning off 53/tcp to named traffic.

-wolfgang

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Tobias Ulmer
On Tue, Jun 20, 2006 at 10:53:00AM -0700, Wolfgang S. Rupprecht wrote:

> "Dan Farrell" <[hidden email]> writes:
> > Correct me if I'm wrong (and I usually am) but I thought DNS (and named
> > specifically) only used tcp connections for zone transfers.
>
> Last time I looked named used TCP any time a packet needed to be
> fragmented due to size.  It is highly unlikely that the OP will have a
> fully functional system after turning off 53/tcp to named traffic.
>
> -wolfgang
>
>

As long as you don't do zone transfers or need large records,
it doesn't matter that much.

tobiasu@vanadium:~$ sudo pfctl -vs rules | grep -A 1 domain
pass in on vr0 inet proto tcp from <dns> to 10.0.0.1 port = domain keep
state
  [ Evaluations: 89        Packets: 0         Bytes: 0           States:
0     ]
pass in on vr0 inet proto udp from <dns> to 10.0.0.1 port = domain keep
state
  [ Evaluations: 17860     Packets: 11257     Bytes: 1047939     States:
0     ]

Tobias

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Stuart Henderson
In reply to this post by Wolfgang S. Rupprecht-47
On 2006/06/20 10:53, Wolfgang S. Rupprecht wrote:
> "Dan Farrell" <[hidden email]> writes:
> > Correct me if I'm wrong (and I usually am) but I thought DNS (and named
> > specifically) only used tcp connections for zone transfers.
>
> Last time I looked named used TCP any time a packet needed to be
> fragmented due to size.

Or EDNS0 (supporting larger DNS responses over UDP). Main place people are
likely to see that needs >512 bytes is aol.com MX records.

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Dave Anderson-4
In reply to this post by Constantine A. Murenin
** Reply to message from "Constantine A. Murenin" <[hidden email]>
on Tue, 20 Jun 2006 16:07:25 +0100

>Hello,
>
>I'm running an sshd on port 53 (domain) as there is some convenient
>wireless hot-spot that allows for both udp and tcp connection on this
>port without any authentication. :)
>
>(Yes, there is not even a need for NSTX!)
>
>How do I tell my named(8) to only listen on udp ports, and leave tcp
>ports for sshd(8)? Is this at all possible with named.conf alone? I've
>glanced through named.conf(5), but didn't find the desired option
>there...

If you look at the RFCs defining DNS you'll quickly discover that TCP
access is *required* for all servers.  While it's mostly used for zone
transfers, *any* request whose answer is too large to fit in a single
UDP packet must be retried via TCP.

In other words, it's not possible to do what you want.  (It can
*appear* to work, but you'll have obscure problems where some requests
quietly fail for no obvious reason.)

        Dave

--
Dave Anderson
<[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Joachim Schipper
In reply to this post by Constantine A. Murenin
On Tue, Jun 20, 2006 at 04:07:25PM +0100, Constantine A. Murenin wrote:

> Hello,
>
> I'm running an sshd on port 53 (domain) as there is some convenient
> wireless hot-spot that allows for both udp and tcp connection on this
> port without any authentication. :)
>
> (Yes, there is not even a need for NSTX!)
>
> How do I tell my named(8) to only listen on udp ports, and leave tcp
> ports for sshd(8)? Is this at all possible with named.conf alone? I've
> glanced through named.conf(5), but didn't find the desired option
> there...

It appears an interesting hack would be possible here, in the form of a
proxy that recognizes both DNS and SSH (which are both pretty easy to
recognize, IIRC), and proxies the connection to the proper daemon.

Of course, this is a cludge, too, but at least it's more elegant and not
as likely to break stuff. Someone might even have already written one,
but I think it's likely you'll have to do it yourself.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Giancarlo Razzolini
Joachim Schipper wrote:

>
> It appears an interesting hack would be possible here, in the form of a
> proxy that recognizes both DNS and SSH (which are both pretty easy to
> recognize, IIRC), and proxies the connection to the proper daemon.
>
> Of course, this is a cludge, too, but at least it's more elegant and not
> as likely to break stuff. Someone might even have already written one,
> but I think it's likely you'll have to do it yourself.
>
> Joachim
>
>
This hack already exist. AFAIK, delegate http://www.delegate.org, can do
this.

My cent,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: named on udp ports only

Steven Shockley
Giancarlo Razzolini wrote:
> This hack already exist. AFAIK, delegate http://www.delegate.org, can do
> this.

Be careful what you wish for!  He finally got around to checking for
string buffer overflows in December 2004:

http://www.delegate.org/mail-lists/delegate-en/2793

DeleGate has a reputation like OpenBSD has, except it's "not security"
instead of "security".