[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue

Joe Abley jabley at ca.afilias.info
Sun Jul 2 02:55:20 UTC 2006

On 1-Jul-2006, at 13:13, John Payne wrote:

> "Just in case"   I'd rather not have an unnecessary DoS vector open
> on my servers if I don't need it.... and taking the experience of a
> company that does a LOT of DNS hits, anyone only doing TCP is in a
> extremely insignificant minority.

Cool. I hadn't actually heard of anybody blocking 53/tcp on purpose,  
with full knowledge of the implications before. I have some questions!

Do you log the 53/tcp attempts that you refuse?

Is there a discernible pattern between the queries you see using 53/ 
udp and those using 53/tcp? Do you see the same client try tcp after  
just previously using udp, for example?

Has the DNS server you're using been designed/modified to never  
return replies with the TC bit set?

Do you inspect your cusotmers' zones to ensure that no response is  
possible that might exceed 512 bytes for a client that doesn't  
support EDNS0? Or do you assume everybody supports EDNS0?

Has any customer complained that your DNS service doesn't fully  
implement the transport requirements of RFC 1035?


More information about the dns-operations mailing list