[dns-operations] Geoff Huston on DNS-over-TCP-only study.

Joseph S D Yao jsdy at tux.org
Sat Aug 31 20:29:28 UTC 2013


On 2013-08-21 19:36, Geoff Huston wrote:
...
> truncated TCP. 0.4% of them appear to have some inbound TCP-blocking
> firewall/filter. ...
...


I may have missed this in the original posting and this thread, but 
this is the first time I've seen this brought up here.  This is a 
particular problem I've noticed.  In certain "security-conscious" 
networks firewalls or filtering routers block all TCP DNS ("It's only 
used for zone transfers anyway") and UDP packets with a payload greater 
than 512 bytes.  In fact, at least one major company's filtering 
firewalls and routers come set to do the latter (Cisco).  Persuading 
checklist-followers that this is what is causing them problems is 
sometimes more effort than it's worth.  I'm pleased to see that 
indiscriminate TCP DNS blocking seems not to be as prevalent on the 
particular part of the public Internet on which this test was conducted.


Joe Yao



More information about the dns-operations mailing list