Best practice on TCP replies for ANY queries

Anurag Bhatia me at
Wed Dec 11 18:25:14 UTC 2013


Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.

On Wed, Dec 11, 2013 at 11:49 PM, ML <ml at> wrote:

> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >
> > I am sure I am not first person experiencing this issue. Curious to hear
> > how you are managing it. Also under what circumstances I can get a
> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> > then 1000 bytes?
> >
> >
> >
> I'm not a DNS guru so I don't have an exact answer.  However my gut
> feeling is that putting in a place a rule to drop or rate limit DNS
> replies greater than X bytes is probably going to come back to bite you
> in the future.
> No one can predict the future of what will constitute legitimate DNS
> traffic.


Anurag Bhatia

Linkedin <> |

More information about the NANOG mailing list