[dns-operations] Geoff Huston on DNS-over-TCP-only study.
Joseph S D Yao
jsdy at tux.org
Sat Aug 31 20:29:28 UTC 2013
On 2013-08-21 19:36, Geoff Huston wrote:
...
> truncated TCP. 0.4% of them appear to have some inbound TCP-blocking
> firewall/filter. ...
...
I may have missed this in the original posting and this thread, but
this is the first time I've seen this brought up here. This is a
particular problem I've noticed. In certain "security-conscious"
networks firewalls or filtering routers block all TCP DNS ("It's only
used for zone transfers anyway") and UDP packets with a payload greater
than 512 bytes. In fact, at least one major company's filtering
firewalls and routers come set to do the latter (Cisco). Persuading
checklist-followers that this is what is causing them problems is
sometimes more effort than it's worth. I'm pleased to see that
indiscriminate TCP DNS blocking seems not to be as prevalent on the
particular part of the public Internet on which this test was conducted.
Joe Yao
More information about the dns-operations
mailing list