[dns-operations] EDNS and TLDs

Bob Harold rharolde at umich.edu
Wed Nov 16 13:21:22 UTC 2016


On Wed, Nov 16, 2016 at 8:00 AM, Florian Weimer <fweimer at redhat.com> wrote:

> On 10/29/2016 11:06 AM, Phil Regnauld wrote:
>
>> Mark Andrews (marka) writes:
>>
>>>
>>> Thanks.  Firewall are the biggest problems at the moment.
>>>
>>
>>         Firewalls in front of DNS servers still puzzle me.
>>
>
> If you want to run BIND, a packet filter in front of it currently is the
> only way to switch off processing of DNS UPDATE messages in BIND, so I can
> see why people do this.
>
> Florian
>
>
Why not just:
      allow-update { none; };
in BIND?
I would expect that to be not much work processing than what the firewall
has to do, and less because of the overhead of the firewall.  And
definitely less likely to break things - the filter in the firewall in
likely to mis-categorize some packets it has not thought of.

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161116/8fa7bed8/attachment.html>


More information about the dns-operations mailing list