[dns-operations] AWS footnote: DNS firewall rules are UDP only
Mark Andrews
marka at isc.org
Wed Jan 28 20:55:02 UTC 2015
In message <Pine.LNX.4.53.1501281221510.26950 at flame.m3047.net>, Fred Morris writes:
> I just noticed that when configuring firewall rules for an AWS instance,
> if "DNS" is chosen then the (only) protocol automagically filled in is
> UDP.
>
> To get TCP, you have to create a custom TCP rule.
>
> When you save, the UDP one gets saved as "DNS", the TCP one stays "custom
> TCP rule".
And the filtering rules break EDNS version negotiation. The
nameservers themselves also need to be fixed to properly respond
to unknown EDNS versions (i.e. return BADVERS rather than ignore
the version in the request).
e.g.
9gag.com. @205.251.193.152 (ns-408.awsdns-51.com.): dns=ok edns=ok edns1=status,version,soa edns at 512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok
9gag.com. @205.251.197.14 (ns-1294.awsdns-33.org.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok
9gag.com. @205.251.198.137 (ns-1673.awsdns-17.co.uk.): dns=ok edns=ok edns1=status,version,soa edns at 512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok
9gag.com. @205.251.194.117 (ns-629.awsdns-14.net.): dns=ok edns=ok edns1=status,version,soa edns at 512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok
> --
>
> Fred Morris
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list