[dns-operations] Firewall defaults and EDNS

Roland Dobbins rdobbins at arbor.net
Thu Nov 20 06:19:07 UTC 2014

On 20 Nov 2014, at 11:16, Mark Andrews wrote:

> so I can generate a list of broken by default for EDNS firewalls.

While it's a good idea to try and compile a list of firewalls which are 
broken by default, the far more prevalent issue is the apparently 
unkillable 'security' myth that one must block TCP/53 as well as DNS 
responses larger than 512 bytes.

Irrespective of defaults, folks just unquestioningly slap these rules 
into place - and then they (or their users) wonder why their DNS is 

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list