[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue

John Payne john at sackheads.org
Sun Jul 2 03:38:11 UTC 2006

On Sat, Jul 01, 2006 at 10:55:20PM -0400, Joe Abley wrote:
> On 1-Jul-2006, at 13:13, John Payne wrote:
> >"Just in case"   I'd rather not have an unnecessary DoS vector open
> >on my servers if I don't need it.... and taking the experience of a
> >company that does a LOT of DNS hits, anyone only doing TCP is in a
> >extremely insignificant minority.
> Cool. I hadn't actually heard of anybody blocking 53/tcp on purpose,  
> with full knowledge of the implications before. I have some questions!
> Do you log the 53/tcp attempts that you refuse?

Nope.  TTBOMK $employer has never supported 53/tcp and as nobody has
complained about it, never had the need to log.

> Is there a discernible pattern between the queries you see using 53/ 
> udp and those using 53/tcp? Do you see the same client try tcp after  
> just previously using udp, for example?

Can't say - no logs.  I suppose I could rig up an experiment if I find 
the time

> Has the DNS server you're using been designed/modified to never  
> return replies with the TC bit set?

> Do you inspect your cusotmers' zones to ensure that no response is  
> possible that might exceed 512 bytes for a client that doesn't  
> support EDNS0? Or do you assume everybody supports EDNS0?

Most of our zones aren't customer zones.  Of those that are, the
server makes sure the response doesn't exceed 512 bytes.

> Has any customer complained that your DNS service doesn't fully  
> implement the transport requirements of RFC 1035?

Not to my knowledge, and certainly not calling out the RFC.
I think we did get a "TCP monitor failed" along with an "ICMP ping"
failed, to which the response is "we don't do TCP, and we block 
ping too".

Every once in a blue moon we get a "why can't we transfer our 
.fr zone to your servers?" but that's about it.

> Joe

More information about the dns-operations mailing list