[dns-operations] The possible problems after May 5th
Mark Andrews
marka at isc.org
Thu Apr 8 11:57:52 UTC 2010
In message <20100408065027.GB19402 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Apr 08, 2010 at 10:21:33AM +1000,
> Mark Andrews <marka at isc.org> wrote
> a message of 36 lines which said:
>
> > If you block DNS over TCP
>
> In my text, I used things like "Clean TCP path", not "*you* block TCP"
> assertions because the ability to perform a request over TCP depend on
> several actors (the resolver, the firewall, the authoritative name
> server - Akamai still does not allow TCP).
And unless you have configured them otherwise they will just work.
Recursive nameservers make TCP connections by default on TC.
Authoritative nameservers accept TCP connections by default.
Most firewalls allow the outbound TCP connections by default
if not then you have configured them to be blocked.
> > If you block UDP DNS packets bigger than 512 bytes then DNS lookups
> > will be slower than they should be.
>
> This assumes that the resolver retries when replies to EDNS queries
> don't come back. BIND does it (after a timeout expired) but what do
> other resolvers do?
The others that I'm aware of do as well. Some however go straight
to plain DNS.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list