large organization nameservers sending icmp packets to dns servers.

Donald Stahl don at
Tue Aug 7 18:14:11 UTC 2007

> All things being equal (which they're usually not) you could use the ACK
> response time of the TCP handshake if they've got TCP DNS resolution
> available. Though again most don't for security reasons...
Then most are incredibly stupid.

Several anti DoS utilities force unknown hosts to initiate a query via 
TCP in order to be whitelisted. If the host can't perform a TCP query then 
they get blacklisted.

In addition, any UDP truncated response needs to be retried via TCP- 
blocking it would cause a variety of problems.


More information about the NANOG mailing list