maybe a dumb idea on how to fix the dns problems i don't know....

Rob Payne rnspayne at the-paynes.com
Sun Aug 10 16:05:04 CDT 2008


On Sun, Aug 10, 2008 at 01:06:06PM -0700, Chris Paul wrote:
> brett watson wrote:
> >>Hey authority DNS server operators. Can you make a change to your 
> >>servers to always allow TCP client connections? Would this be 
> >>difficult? What would be the harm?

> >SYN flooding?

> from your clients? We ways of knowing people on our local network are 
> doing this type of thing and turn them off at the switch today. Why are 
> you are doing dns recursion for people outside your network?

The question isn't whether to offer TCP/53 up at the recursive
server.  The issue is that for you to use TCP/53 from your recursive
server, it has to be offered up at the authoritative end.  

The authoritative server operators have to offer TCP/53 and the
firewall administrators between the recursive server and the
authoritative servers have to allow the traffic.

				 -rob




More information about the NANOG mailing list