[dns-operations] The possible problems after May 5th
bert hubert
bert.hubert at netherlabs.nl
Thu Apr 8 13:35:28 UTC 2010
On Thu, Apr 08, 2010 at 09:12:40AM -0400, Joe Abley wrote:
> > And unless you have configured them otherwise they will just work.
> >
> > Recursive nameservers make TCP connections by default on TC.
Some send out questions without EDNS normally, and will first attempt EDNS
on TC=1, and only then TCP if that fails.
> > Authoritative nameservers accept TCP connections by default.
Try it. Block UDP for your resolver and see how far you get.
> > Most firewalls allow the outbound TCP connections by default
>
> Just to be clear, are you talking about your personal experience of the Internet with BIND9, or are you talking about research you have done across a broad slice of Internet users?
Loads of firewalls I know have indeed been configured with TCP/53 blocked,
or more specifically, everything blocked except perhaps UDP/53.
Bert
More information about the dns-operations
mailing list