DNS and ICMP

DNS and ICMP

Post by Ee » Thu, 29 Nov 2001 01:10:10



Hi,
   Does anybody know if DNS uses ICMP in
any of its processes?  I'm using ipchains
to filter packets.  I deny all protocol 1, ICMP.
I get a moderate amount of blocked ICMP packets
to and from name servers in my logs.  Should
I allow ICMP to and from name servers?

Thanks.

 
 
 

DNS and ICMP

Post by Michael Guelf » Thu, 29 Nov 2001 01:55:25


DNS should only need TCP & UDP.


Quote:> Hi,
>    Does anybody know if DNS uses ICMP in
> any of its processes?  I'm using ipchains
> to filter packets.  I deny all protocol 1, ICMP.
> I get a moderate amount of blocked ICMP packets
> to and from name servers in my logs.  Should
> I allow ICMP to and from name servers?

> Thanks.


 
 
 

DNS and ICMP

Post by Karl Heye » Thu, 29 Nov 2001 02:17:24



> Hi,
>    Does anybody know if DNS uses ICMP in
> any of its processes?  I'm using ipchains to filter packets.  I deny
> all protocol 1, ICMP. I get a moderate amount of blocked ICMP
> packets to and from name servers in my logs.  Should I allow ICMP to
> and from name servers?

DNS uses UDP mainly, it might use TCP is others.  Blocking all ICMP
is silly though.  packet fragmentation or router problems may be
generating those ICMP.

If you can be more fine grained on the ICMP types then the better,
type 0,3,8,11 I think should be ok for all connections.

karl.

 
 
 

DNS and ICMP

Post by Arthu » Thu, 29 Nov 2001 05:19:39




Quote:>    Does anybody know if DNS uses ICMP in
> any of its processes?  I'm using ipchains
> to filter packets.  I deny all protocol 1, ICMP.
> I get a moderate amount of blocked ICMP packets
> to and from name servers in my logs.  Should
> I allow ICMP to and from name servers?

DNS don't use ICMP. Use Iptables which is better
than ipchains for this purpose.
nP
"linux, oui, mais aprs ?"
 
 
 

DNS and ICMP

Post by Michael Muelle » Thu, 29 Nov 2001 06:40:53


Hi Eel,


>    Does anybody know if DNS uses ICMP in
> any of its processes?  I'm using ipchains
> to filter packets.  I deny all protocol 1, ICMP.
> I get a moderate amount of blocked ICMP packets
> to and from name servers in my logs.  Should
> I allow ICMP to and from name servers?

ICMP is used by UDP to tell the sender if nobody does listen on a port.
It is normal to see ICMP port unreachable messages send from the DNS
client to the server. Seeing those packets send from the name server
means that it is no name server actually or the DNS service being
temporarily down.

IP and TCP use ICMP packets for error-reporting too. The proper
operation and arborting (later in case of unrecoverable error) of a TCP
connection does rely on being able to send and receive ICMP packets.

One major problem caused by denying ICMP packets is the TCP Path MTU
discovery to fail. Symtoms are stalled TCP connections recovering
ranging from slowly to never.

Michael

 
 
 

DNS and ICMP

Post by Karl Heye » Fri, 30 Nov 2001 10:25:16



> Hi Eel,


>>    Does anybody know if DNS uses ICMP in
>> any of its processes?  I'm using ipchains
>> to filter packets.  I deny all protocol 1, ICMP.
>> I get a moderate amount of blocked ICMP packets
>> to and from name servers in my logs.  Should
>> I allow ICMP to and from name servers?

> ICMP is used by UDP to tell the sender if nobody does listen on a port.
> It is normal to see ICMP port unreachable messages send from the DNS
> client to the server. Seeing those packets send from the name server
> means that it is no name server actually or the DNS service being
> temporarily down.

ICMP does not come from the client for DNS requests, it potentially
comes the other way. Also any machine between the client and the server
can send ICMP messages back to the client.  If a firewall is blocking
those messages then reactive measures cannot be taken, for instance
as mentioned PMTU-Disc or unreachables.

karl.

 
 
 

1. icmp : does icmp have no dependency on dns?

hi.

i was working on helping someone to get a suse-install fixed-up for dns,
and found out that he was able able to ping places even when there
apparently isn't a valid entry in /etc/rc.config ( which, by default, is
used by the suse scripts to generate a resolv.conf )

the question+:

does icmp-packet routing not depend on DNS ?

does tcp-packet routing depend on dns ?

does anything depend on dns besides whatever is buried in something like
a netscape?

  (if so, any tips on (a url for, or a book if no url) where to find a
table of what depends on what?)

thanks!

--
sc

2. HP 1150C Printing

3. Matrox Mystique ands X.

4. Using arrow keys with Pine and wyse50

5. Relation between ICMP and DNS servers?

6. I NEED SOMEONE WHO CAN PROGRAM GRAPHICS

7. ICMP- traceroute -DNS

8. cmi8330 sound

9. ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

10. ICMP HOST cannot build IP Header address to echo ICMP HOST

11. make icmp.c be more verbose on broadcast icmp errors

12. DHCP, DNS/Dynamic DNS???

13. UNIX DNS vs NT DNS