Anycast 101

• Previous message (by thread): Anycast 101
• Next message (by thread): Anycast 101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks at vt.edu wrote:

>On Thu, 16 Dec 2004 17:18:12 PST, Crist Clark said:
>
>  
>
>>Into a UDP response. A resolver will recieve the first 512 bytes of the
>>truncated response and may then use TCP to get the complete response...
>>unless there is a firewall blocking 53/tcp in the way. But how often
>>does that happpen?
>>    
>>
>
>It happens *all* *the* *time* (probably just as often as sites that block
>all ICMP including 'frag needed' and wonder why PMTU Discovery breaks and
>connections hang).
>
>The *real* operational problem is that almost 100% of the time that there's
>a firewall blocking 53/tcp, the person running the firewall is (a) unaware
>that it's blocking it and (b) doesn't even realize that DNS *can* use TCP....
>
>Quite often, there's even a "(c) they don't even know they have a firewall" just
>to make things really interesting.
>  
>
One of the most common misconceptions I've encountered and had heated 
debates with some would-be admins is the belief that the only "proper" 
use of 53/tcp for DNS is for zone transfers. For that reason they 
explicitly block 53/tcp in their firewalls. Same thing with that good 
old misconception that all forms of ICMP are evil and should be blocked.

Doug

--*--
Life would be so much easier if we only had the source code...
-Anonymous
--*--

• Previous message (by thread): Anycast 101
• Next message (by thread): Anycast 101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]