[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue
Joe Abley
jabley at ca.afilias.info
Sun Jul 2 02:55:20 UTC 2006
On 1-Jul-2006, at 13:13, John Payne wrote:
> "Just in case" I'd rather not have an unnecessary DoS vector open
> on my servers if I don't need it.... and taking the experience of a
> company that does a LOT of DNS hits, anyone only doing TCP is in a
> extremely insignificant minority.
Cool. I hadn't actually heard of anybody blocking 53/tcp on purpose,
with full knowledge of the implications before. I have some questions!
Do you log the 53/tcp attempts that you refuse?
Is there a discernible pattern between the queries you see using 53/
udp and those using 53/tcp? Do you see the same client try tcp after
just previously using udp, for example?
Has the DNS server you're using been designed/modified to never
return replies with the TC bit set?
Do you inspect your cusotmers' zones to ensure that no response is
possible that might exceed 512 bytes for a client that doesn't
support EDNS0? Or do you assume everybody supports EDNS0?
Has any customer complained that your DNS service doesn't fully
implement the transport requirements of RFC 1035?
Joe
More information about the dns-operations
mailing list