[dns-operations] The possible problems after May 5th

Mark Andrews marka at isc.org
Thu Apr 8 23:22:05 UTC 2010


In message <20100408133528.GB9903 at xs.powerdns.com>, bert hubert writes:
> On Thu, Apr 08, 2010 at 09:12:40AM -0400, Joe Abley wrote:
> > > And unless you have configured them otherwise they will just work.
> > > 
> > > Recursive nameservers make TCP connections by default on TC.
> 
> Some send out questions without EDNS normally, and will first attempt EDNS
> on TC=1, and only then TCP if that fails.

They still do TCP, by default, even if there are other steps involved.
 
> > > Authoritative nameservers accept TCP connections by default.
> 
> Try it. Block UDP for your resolver and see how far you get.

Apart for djbdns can you name another nameserver that doesn't listen
for TCP by default?  They may have irewalls in front of them that
block incoming TCP but they still listen.
 
> > > Most firewalls allow the outbound TCP connections by default
> > 
> > Just to be clear, are you talking about your personal experience of the
> Internet with BIND9, or are you talking about research you have do
> ne across a broad slice of Internet users?

Well when you field the bug reports that result from blocking outbound
TCP you get a feel for how often it is actually done.  The couple of
ISP's that I have known to try this reversed the configuration within
a day.

> Loads of firewalls I know have indeed been configured with TCP/53 blocked,
> or more specifically, everything blocked except perhaps UDP/53. 

Inbound or outwards?

> 	Bert
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list