[dns-operations] Firewall defaults and EDNS
Roland Dobbins
rdobbins at arbor.net
Thu Nov 20 06:19:07 UTC 2014
On 20 Nov 2014, at 11:16, Mark Andrews wrote:
> so I can generate a list of broken by default for EDNS firewalls.
While it's a good idea to try and compile a list of firewalls which are
broken by default, the far more prevalent issue is the apparently
unkillable 'security' myth that one must block TCP/53 as well as DNS
responses larger than 512 bytes.
Irrespective of defaults, folks just unquestioningly slap these rules
into place - and then they (or their users) wonder why their DNS is
broken.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list