IPv4 ANYCAST setup

Kevin Oberman oberman at es.net
Tue Mar 30 04:59:56 UTC 2010


> From: Joe Abley <jabley at hopcount.ca>
> Date: Fri, 26 Mar 2010 10:06:02 -0700
> 
> On 2010-03-26, at 06:40, Max Larson Henry wrote:
> 
> >>> has someone experience in anycast ipv4 networks (to support DNS)?
> >> 
> >> "Never been done" "Dangerous" "TCP does not work" etc etc etc.
> > 
> > - Yes but as for DNS, anycast is essentially used for user requests (UDP)
> > not to perform zone transfer(TCP).
> 
> As others have mentioned, TCP can generally be used for any DNS query, not just AXFR.
> 
> This becomes more important as DNS responses get bigger, e.g. responses from root servers due to the root zone containing DNSSEC information, see <http://www.root-dnssec.org/>.
> 
> If your nameserver can't be reached over TCP, it's likely that there are people who can't talk to your nameserver. This means your DNS records can't be found. This is a bad thing.
> 
> Here, in glorious LOLCAPS:
> 
>   ALWAYS MAKE SURE YOUR DNS SERVER CAN BE REACHED OVER TCP
>   TCP IS NOT JUST FOR ZONE TRANSFERS
>   FIX YOUR FIREWALLS
> 
> :-)

Fix your security officers!

I have talked to multiple security officers (who are generally not
really knowledgeable on networks) who had 53/tcp blocked and none have
yet agreed to change it. The last one told me that blocking 53/tcp is
"standard industry practice" as per his firewall training. Point out
what RFCs said simply bounced off of him. He said that if the protocols
would not handle blocked 53/tcp, the protocols would have to be
changed. Opening the port was simply not open to discussion.

They don't seen to really care if things are broken and seem to feel
that it is up to "the network" to accommodate their idea of normal
firewall configuration.

I will say that these were at federal government facilities. I hope the
commercial world is a bit more in touch with reality.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751




More information about the NANOG mailing list