using TCP53 for DNS

• Previous message (by thread): using TCP53 for DNS
• Next message (by thread): using TCP53 for DNS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 26 Apr 2005, Florian Weimer wrote:
> * Patrick W. Gilmore:
> > At least one DoS mitigation box uses TCP53 to "protect" name
> > servers.  Personally I thought this was a pretty slick trick, but it
> > appears to have caused a lot of problems.  From the thread (certainly
> > not a scientific sampling), many people seem to be filtering port 53
> > TCP to their name servers.
>
> "To their name servers"?  I think you mean "from their caching
> resolvers to 53/TCP on other hosts".

its a both directions thing. Some folks dropped tcp/53 TO their AUTH
servers to protect against AXFR's from folks not their normal secondaries.
Obviously this is from before bind8+'s capability to acl. Even after I
imagine that folks left the filters in place either 'because' or 'I don't
run router acls' or 'laziness'....

>
> > Is this common?
>
> Hopefully not.  Resolvers MUST be able to make TCP connections to
> other name servers.

It seems that what might be more common is resolver code not handling the
truncate request properly :( That seemed to be the majority of the
problems last time we ran into this problem :(

-Chris

• Previous message (by thread): using TCP53 for DNS
• Next message (by thread): using TCP53 for DNS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]