<div dir="ltr">I'll add one note here: if you're behind an overzealous firewall, these tests may tell you more about your firewall than your DNS servers. I found this out the hard way doing some EDNS testing from behind a Juniper SRX (it also blocked large responses, unknown [to it] edns versions, etc). It did the blocking in either direction through the device.<div><br></div><div>If someone else is behind one of these SRXes, and you want to turn it into more of a dumb packet filter as far as DNS:</div><div><br></div><div>set security alg dns disable</div><div><br></div><div>I didn't bother to see if different JunOS code handles EDNS and large DNS responses better.</div><div><br></div><div>Obviously if this ALG actually provides some sort of security, you've disabled it. I'd be really interested to hear about what security vulnerabilities it actually blocks, at least if you aren't doing any content filtering.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 8, 2015 at 2:18 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
As of the 8th of August there was a big reduction in the<br>
number of TLD zones which filtered queries with unknown<br>
EDNS version or unknown EDNS flags.<br>
<br>
While there is still work to do to improve EDNS compliance<br>
this is a big step forward. Thank you.<br>
<br>
<a href="https://ednscomp.isc.org/compliance/summary.html" rel="noreferrer" target="_blank">https://ednscomp.isc.org/compliance/summary.html</a><br>
<br>
As some of the operators involved also serve part of the<br>
Alexa top 1000, a visible step improvement has been seen<br>
there as well.<br>
<span class="HOEnZb"><font color="#888888"><br>
Mark<br>
--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
</font></span></blockquote></div><br></div>