[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue
john at sackheads.org
Sun Jul 2 03:38:11 UTC 2006
On Sat, Jul 01, 2006 at 10:55:20PM -0400, Joe Abley wrote:
> On 1-Jul-2006, at 13:13, John Payne wrote:
> >"Just in case" I'd rather not have an unnecessary DoS vector open
> >on my servers if I don't need it.... and taking the experience of a
> >company that does a LOT of DNS hits, anyone only doing TCP is in a
> >extremely insignificant minority.
> Cool. I hadn't actually heard of anybody blocking 53/tcp on purpose,
> with full knowledge of the implications before. I have some questions!
> Do you log the 53/tcp attempts that you refuse?
Nope. TTBOMK $employer has never supported 53/tcp and as nobody has
complained about it, never had the need to log.
> Is there a discernible pattern between the queries you see using 53/
> udp and those using 53/tcp? Do you see the same client try tcp after
> just previously using udp, for example?
Can't say - no logs. I suppose I could rig up an experiment if I find
> Has the DNS server you're using been designed/modified to never
> return replies with the TC bit set?
> Do you inspect your cusotmers' zones to ensure that no response is
> possible that might exceed 512 bytes for a client that doesn't
> support EDNS0? Or do you assume everybody supports EDNS0?
Most of our zones aren't customer zones. Of those that are, the
server makes sure the response doesn't exceed 512 bytes.
> Has any customer complained that your DNS service doesn't fully
> implement the transport requirements of RFC 1035?
Not to my knowledge, and certainly not calling out the RFC.
I think we did get a "TCP monitor failed" along with an "ICMP ping"
failed, to which the response is "we don't do TCP, and we block
Every once in a blue moon we get a "why can't we transfer our
.fr zone to your servers?" but that's about it.
More information about the dns-operations