[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue
john at sackheads.org
Tue Jul 4 02:19:41 UTC 2006
On Jul 3, 2006, at 6:02 PM, Peter Dambier wrote:
> I have seen people arguing that udp is bad. You can fake source
> to missuse it for amplifying attacks. If DNS was tcp only there
> would be
> no amplifying attacks.
Too late to remove UDP now.
> The part I would leave away is axfr.
> The contents of domains like de or fr is a trade secret. That is
> why almost
> nobody allows axfr. The few who allow it could just use html or ftp
> better performance. :) :) :)
I doubt trade secret is the reason most people block just anyone from
axfr. My personal reason is that nobody but my slave nameservers
business with the zone file.
> I think there is only one good reason to block dns tcp
> Mail may not be delivered to certain domains if Server OS is
> Windows Server 2003
> This issue occurs if all the following conditions are true:
> The DNS computer that your SMTP computer queries to obtain the mail
> (MX) resource records of the destination computer is configured to
> only accept
> User Datagram Protocol (UDP) queries.
OK, you made me look for the other reasons, because that alone
So, you only accept UDP and you send a truncated reply. Excuse me
for not being
surprised if things break.
More information about the dns-operations