[dns-operations] Firewall defaults and EDNS
Carsten Schiefner
dotberlin.cs at schiefner.de
Thu Nov 20 10:28:16 UTC 2014
Roland, all -
On 20.11.2014 07:19, Roland Dobbins wrote:
> While it's a good idea to try and compile a list of firewalls which are
> broken by default, the far more prevalent issue is the apparently
> unkillable 'security' myth that one must block TCP/53 as well as DNS
> responses larger than 512 bytes.
>
> Irrespective of defaults, folks just unquestioningly slap these rules
> into place - and then they (or their users) wonder why their DNS is broken.
so true for the "their users" part.
I just had to come across this once more again the other day when my
DynDNS provider ceased servicing me as I had apparently become
unreachable by email.
Why? I had switched on DNSSEC - so results for MX RR queries became
larger than 512 bytes.
Best,
-C.
More information about the dns-operations
mailing list