using TCP53 for DNS
Christopher L. Morrow
christopher.morrow at mci.com
Tue Apr 26 21:13:27 UTC 2005
On Tue, 26 Apr 2005, Florian Weimer wrote:
> * Christopher L. Morrow:
>
> > its a both directions thing. Some folks dropped tcp/53 TO their AUTH
> > servers to protect against AXFR's from folks not their normal secondaries.
>
> Ugh. And they didn't think something like "permit tcp any any eq 53
> established" was necessary?
>
that only helps for outbound from the server :( not: "Hey, this response
is going to be too big, come back on TCP!" :(
> >> Hopefully not. Resolvers MUST be able to make TCP connections to
> >> other name servers.
> >
> > It seems that what might be more common is resolver code not handling the
> > truncate request properly :(
>
> Caching resolvers or stub resolvers? Caching resolvers would be quite
> surprising, but you never know.
I've seen Windows DNS servers misbehave in this way as well as some
firewalls performing DNS cache/proxy for clients internal to
enterprises... (the ms boxen doing it was cache servers of course)
>
> Certainly, there are some applications which cannot cope with large RR
> sets (qmail comes to my mind).
>
oh, that has to suck for email delivery, eh? :(
More information about the NANOG
mailing list