large organization nameservers sending icmp packets to dns servers.

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Donald,

I'm not prepared to call it stupid, but you're right it can cause issues.

-J
--------------------
Sent via BlackBerry

----- Original Message -----
From: Donald Stahl <don at calis.blacksun.org>
To: Jason J. W. Williams
Cc: Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu>; John Levine <johnl at iecc.com>; nanog at nanog.org <nanog at nanog.org>
Sent: Tue Aug 07 12:14:11 2007
Subject: RE: large organization nameservers sending icmp packets to dns servers.

> All things being equal (which they're usually not) you could use the ACK
> response time of the TCP handshake if they've got TCP DNS resolution
> available. Though again most don't for security reasons...
Then most are incredibly stupid.

Several anti DoS utilities force unknown hosts to initiate a query via 
TCP in order to be whitelisted. If the host can't perform a TCP query then 
they get blacklisted.

In addition, any UDP truncated response needs to be retried via TCP- 
blocking it would cause a variety of problems.

-Don

!SIG:46b8b686156533728213125!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070807/591c97f4/attachment.html>

• Previous message (by thread): large organization nameservers sending icmp packets to dns servers.
• Next message (by thread): large organization nameservers sending icmp packets to dns servers.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]