[dns-operations] The possible problems after May 5th

bert hubert bert.hubert at netherlabs.nl
Thu Apr 8 13:35:28 UTC 2010

On Thu, Apr 08, 2010 at 09:12:40AM -0400, Joe Abley wrote:
> > And unless you have configured them otherwise they will just work.
> > 
> > Recursive nameservers make TCP connections by default on TC.

Some send out questions without EDNS normally, and will first attempt EDNS
on TC=1, and only then TCP if that fails.

> > Authoritative nameservers accept TCP connections by default.

Try it. Block UDP for your resolver and see how far you get.

> > Most firewalls allow the outbound TCP connections by default
> Just to be clear, are you talking about your personal experience of the Internet with BIND9, or are you talking about research you have done across a broad slice of Internet users?

Loads of firewalls I know have indeed been configured with TCP/53 blocked,
or more specifically, everything blocked except perhaps UDP/53. 


More information about the dns-operations mailing list