[dns-operations] DNS Issue

[Warren Kumari]

On Apr 26, 2013, at 4:32 AM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:

> 
> On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
> 
>> I think that in many cases it is not that the named version doesn't support randomization, but rather that they / their firewall group believes that "DNS should only be allowed on port 53 (and UDP, natch)".
> 
> The actual problem being that the DNS servers oughtn't to be behind a firewall in the first place.

Oh, yeah, *fully* agree -- I meant to mention this in my response (actually I was just going to cut-n-paste from an earlier rant on the subject) but forgot.

I'd probably s/firewall/firewall, load-balancer or anything else that keeps state/ -- I know you already mentioned statefull things further down in the thread, but for some reason many folk don't think of load-balancers as keeping state[0]...

W
[0]: Yes, yes, I know that you can configure LBs in a non-stateful / DSR mode (been there, done that, got the t-shirt), but many folk plug an LB in front of their DNS servers in some NAT / stageful manner and then get sad when it falls over…



> 
> ;>
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
> 	  Luck is the residue of opportunity and design.
> 
> 		       -- John Milton
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

--
Consider orang-utans.
In all the worlds graced by their presence, it is suspected that they can talk but choose not to do so in case humans put them to work, possibly in the television industry. In fact they can talk. It's just that they talk in Orang-utan. Humans are only capable of listening in Bewilderment.
-- Terry Practhett