large organization nameservers sending icmp packets to dns servers.

John Kristoff jtk at
Sat Aug 11 02:55:16 UTC 2007

On Fri, 10 Aug 2007 16:11:04 -0700
Douglas Otis <dotis at> wrote:

> TCP offers a means to escape UDP related issues.  On the other hand,  
> blocking TCP may offer the necessary motivation for having these UDP  
> issues fixed.  After all, only UDP should be required.  When TCP is  
> designed to readily fail, reliance upon TCP seems questionable.  As  
> DNSSEC in introduced, TCP could be relied upon in the growing number  
> of instances where UDP is improperly handled.

As a datapoint I ran some tests against a reasonably diverse and
sizeable TLD zone I work with in another forum.  I queried the name
servers listed in the parent to see if I could successfuly query
them for their corresponding domain name they are configured for
using TCP.  Out of about 9,300 unique name servers I failed to
receive any answer from about 1700 of them.  That is a bit more
than an 18% failure rate.


More information about the NANOG mailing list