using TCP53 for DNS
Christopher L. Morrow
christopher.morrow at mci.com
Tue Apr 26 19:01:47 UTC 2005
On Tue, 26 Apr 2005, Florian Weimer wrote:
> * Patrick W. Gilmore:
> > At least one DoS mitigation box uses TCP53 to "protect" name
> > servers. Personally I thought this was a pretty slick trick, but it
> > appears to have caused a lot of problems. From the thread (certainly
> > not a scientific sampling), many people seem to be filtering port 53
> > TCP to their name servers.
>
> "To their name servers"? I think you mean "from their caching
> resolvers to 53/TCP on other hosts".
its a both directions thing. Some folks dropped tcp/53 TO their AUTH
servers to protect against AXFR's from folks not their normal secondaries.
Obviously this is from before bind8+'s capability to acl. Even after I
imagine that folks left the filters in place either 'because' or 'I don't
run router acls' or 'laziness'....
>
> > Is this common?
>
> Hopefully not. Resolvers MUST be able to make TCP connections to
> other name servers.
It seems that what might be more common is resolver code not handling the
truncate request properly :( That seemed to be the majority of the
problems last time we ran into this problem :(
-Chris
More information about the NANOG
mailing list