[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue

Peter Dambier peter at peter-dambier.de
Mon Jul 3 22:02:48 UTC 2006

John Payne wrote:
> On Jul 3, 2006, at 4:21 PM, Stephane Bortzmeyer wrote:
>>On Mon, Jul 03, 2006 at 04:13:24PM -0400,
>> John Payne <john at sackheads.org> wrote
>> a message of 21 lines which said:
>>>If I choose NOT to, I have zero reason for TCP or EDNS0 queries.
>>BTW, I can understand (I did not say "agree") why some people hesitate
>>to allow TCP but what's the problem with EDNS0?
> Why code something I don't have a need for?  Code bloat is never  
> something to be proud of... and leaving unexercised code paths lying  
> around is a time bomb.

I have seen people arguing that udp is bad. You can fake source addresses
to missuse it for amplifying attacks. If DNS was tcp only there would be
no amplifying attacks.

The part I would leave away is axfr.

The contents of domains like de or fr is a trade secret. That is why almost
nobody allows axfr. The few who allow it could just use html or ftp with
better performance.  :)  :)  :)

I think there is only one good reason to block dns tcp


Mail may not be delivered to certain domains if Server OS is Windows Server 2003


This issue occurs if all the following conditions are true:

The DNS computer that your SMTP computer queries to obtain the mail exchanger
(MX) resource records of the destination computer is configured to only accept
User Datagram Protocol (UDP) queries.

Peter and Karin Dambier

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list