[dns-operations] Shameless plug for our Zonecheck software (Was: af.mil DNS issue
John Payne
john at sackheads.org
Tue Jul 4 02:19:41 UTC 2006
On Jul 3, 2006, at 6:02 PM, Peter Dambier wrote:
> I have seen people arguing that udp is bad. You can fake source
> addresses
> to missuse it for amplifying attacks. If DNS was tcp only there
> would be
> no amplifying attacks.
Too late to remove UDP now.
> The part I would leave away is axfr.
>
> The contents of domains like de or fr is a trade secret. That is
> why almost
> nobody allows axfr. The few who allow it could just use html or ftp
> with
> better performance. :) :) :)
I doubt trade secret is the reason most people block just anyone from
doing
axfr. My personal reason is that nobody but my slave nameservers
have any
business with the zone file.
> I think there is only one good reason to block dns tcp
>
> http://support.microsoft.com/?id=820284
>
> Mail may not be delivered to certain domains if Server OS is
> Windows Server 2003
>
> CAUSE
>
> This issue occurs if all the following conditions are true:
>
> The DNS computer that your SMTP computer queries to obtain the mail
> exchanger
> (MX) resource records of the destination computer is configured to
> only accept
> User Datagram Protocol (UDP) queries.
> ...
OK, you made me look for the other reasons, because that alone
_would_ have
caused complaints.
So, you only accept UDP and you send a truncated reply. Excuse me
for not being
surprised if things break.
More information about the dns-operations
mailing list