[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue

John Payne john at sackheads.org
Tue Jul 4 02:19:41 UTC 2006

On Jul 3, 2006, at 6:02 PM, Peter Dambier wrote:

> I have seen people arguing that udp is bad. You can fake source  
> addresses
> to missuse it for amplifying attacks. If DNS was tcp only there  
> would be
> no amplifying attacks.

Too late to remove UDP now.

> The part I would leave away is axfr.
> The contents of domains like de or fr is a trade secret. That is  
> why almost
> nobody allows axfr. The few who allow it could just use html or ftp  
> with
> better performance.  :)  :)  :)

I doubt trade secret is the reason most people block just anyone from  
axfr.  My personal reason is that nobody but my slave nameservers  
have any
business with the zone file.

> I think there is only one good reason to block dns tcp
> http://support.microsoft.com/?id=820284
> Mail may not be delivered to certain domains if Server OS is  
> Windows Server 2003
> This issue occurs if all the following conditions are true:
> The DNS computer that your SMTP computer queries to obtain the mail  
> exchanger
> (MX) resource records of the destination computer is configured to  
> only accept
> User Datagram Protocol (UDP) queries.
> ...

OK, you made me look for the other reasons, because that alone  
_would_ have
caused complaints.

So, you only accept UDP and you send a truncated reply.  Excuse me  
for not being
surprised if things break.

More information about the dns-operations mailing list