Anycast 101
Douglas K. Fischer
fischerdk at fidoki.com
Thu Dec 23 18:14:51 UTC 2004
Valdis.Kletnieks at vt.edu wrote:
>On Thu, 16 Dec 2004 17:18:12 PST, Crist Clark said:
>
>
>
>>Into a UDP response. A resolver will recieve the first 512 bytes of the
>>truncated response and may then use TCP to get the complete response...
>>unless there is a firewall blocking 53/tcp in the way. But how often
>>does that happpen?
>>
>>
>
>It happens *all* *the* *time* (probably just as often as sites that block
>all ICMP including 'frag needed' and wonder why PMTU Discovery breaks and
>connections hang).
>
>The *real* operational problem is that almost 100% of the time that there's
>a firewall blocking 53/tcp, the person running the firewall is (a) unaware
>that it's blocking it and (b) doesn't even realize that DNS *can* use TCP....
>
>Quite often, there's even a "(c) they don't even know they have a firewall" just
>to make things really interesting.
>
>
One of the most common misconceptions I've encountered and had heated
debates with some would-be admins is the belief that the only "proper"
use of 53/tcp for DNS is for zone transfers. For that reason they
explicitly block 53/tcp in their firewalls. Same thing with that good
old misconception that all forms of ICMP are evil and should be blocked.
Doug
--*--
Life would be so much easier if we only had the source code...
-Anonymous
--*--
More information about the NANOG
mailing list