[dns-operations] Firewall defaults and EDNS

Carsten Schiefner dotberlin.cs at schiefner.de
Thu Nov 20 10:28:16 UTC 2014

Roland, all -

On 20.11.2014 07:19, Roland Dobbins wrote:
> While it's a good idea to try and compile a list of firewalls which are
> broken by default, the far more prevalent issue is the apparently
> unkillable 'security' myth that one must block TCP/53 as well as DNS
> responses larger than 512 bytes.
> Irrespective of defaults, folks just unquestioningly slap these rules
> into place - and then they (or their users) wonder why their DNS is broken.

so true for the "their users" part.

I just had to come across this once more again the other day when my
DynDNS provider ceased servicing me as I had apparently become
unreachable by email.

Why? I had switched on DNSSEC - so results for MX RR queries became
larger than 512 bytes.



More information about the dns-operations mailing list