[dns-operations] Big reduction in the number of TLD zones blocking EDNS(1) queries

Joel Maslak jmaslak at antelope.net
Sat Aug 8 22:38:04 UTC 2015


I'll add one note here: if you're behind an overzealous firewall, these
tests may tell you more about your firewall than your DNS servers.  I found
this out the hard way doing some EDNS testing from behind a Juniper SRX (it
also blocked large responses, unknown [to it] edns versions, etc).  It did
the blocking in either direction through the device.

If someone else is behind one of these SRXes, and you want to turn it into
more of a dumb packet filter as far as DNS:

set security alg dns disable

I didn't bother to see if different JunOS code handles EDNS and large DNS
responses better.

Obviously if this ALG actually provides some sort of security, you've
disabled it.  I'd be really interested to hear about what security
vulnerabilities it actually blocks, at least if you aren't doing any
content filtering.


On Sat, Aug 8, 2015 at 2:18 PM, Mark Andrews <marka at isc.org> wrote:

>
>         As of the 8th of August there was a big reduction in the
>         number of TLD zones which filtered queries with unknown
>         EDNS version or unknown EDNS flags.
>
>         While there is still work to do to improve EDNS compliance
>         this is a big step forward.  Thank you.
>
>         https://ednscomp.isc.org/compliance/summary.html
>
>         As some of the operators involved also serve part of the
>         Alexa top 1000, a visible step improvement has been seen
>         there as well.
>
>         Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE:  +61 2 9871 4742                         INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150808/3ad483ac/attachment.html>


More information about the dns-operations mailing list