[dns-operations] PMTUD of .org servers
Florian Weimer
fw at deneb.enyo.de
Sat Jun 20 14:32:37 UTC 2009
* Paul Vixie:
>> From: Florian Weimer <fw at deneb.enyo.de>
>> Date: Sat, 20 Jun 2009 16:00:01 +0200
>>
>> I know it's very difficult to build static packet filter rules which
>> handle fragmented traffic properly. (Stateful packet filters which are
>> part of proprietary network devices are usually not fast enough to cope
>> with heavy DNS or HTTP traffic.) I can't really fault anyone who tries
>> to make shortcuts.
>
> then they ought to pass all udp fragments to/from their dns servers,
> statelessly.
Yes, except that it sometimes doubles or triples the rule count
(there's the issue of small fragment offsets to worry about).
More information about the dns-operations
mailing list