[dns-operations] Firewall defaults and EDNS

Mark Andrews marka at isc.org
Thu Nov 20 08:24:56 UTC 2014


In message <2DCA46D6-6073-454A-AF5E-24B9172179F1 at arbor.net>, "Roland Dobbins" w
rites:
> On 20 Nov 2014, at 11:16, Mark Andrews wrote:
> 
> > so I can generate a list of broken by default for EDNS firewalls.
> 
> While it's a good idea to try and compile a list of firewalls which are 
> broken by default, the far more prevalent issue is the apparently 
> unkillable 'security' myth that one must block TCP/53 as well as DNS 
> responses larger than 512 bytes.

Well CISCO fixed the later quite a few years ago now.  That doesn't
mean that their isn't old images still in use.

If you want to add > 512 being blocked by default to the set of
broken by default I'll collect that information too.

Also any know good images and configuration recipes to fix those that
are broken by default.

> Irrespective of defaults, folks just unquestioningly slap these rules 
> into place - and then they (or their users) wonder why their DNS is 
> broken.
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list