Comcast residential DNS contact

Pavel Odintsov pavel.odintsov at gmail.com
Wed Dec 3 14:44:20 UTC 2014


Hello!

But any other DNS type can be used for DNS amplification. RRL is right
solution for amplification issue. I recommend NSD DNS server because
it's reliable, has complete support of DNSSEC, IPv6 and RRL.

On Wed, Dec 3, 2014 at 5:08 PM, Stephen Satchell <list at satchell.net> wrote:
> On 12/03/2014 04:04 AM, Niels Bakker wrote:
>> * shortdudey123 at gmail.com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]:
>>> Both of Google’s public DNS servers return complete results every time
>>> and one of the two comcast ones works fine.
>>>
>>> If this is working by design, can you provide the RFC with that info?
>>
>> An ANY query will typically return only what's already in the cache.  So
>> if you ask for MX records first and then query the same caching resolver
>> for ANY it won't return, say, any TXT records that may be present at the
>> authoritative nameserver.
>>
>> This could be implementation dependent, but Comcast's isn't wrong, and
>> you should not rely on ANY queries returning full data.  This has been
>> hashed out to tears in the past, for example when qm**l used to do these
>> queries in an attempt to optimise DNS query volumes and RTT.
>
> At the ISP I consult to, I filter all ANY queries, because they have
> been used for DNS amplification attacks.
>



-- 
Sincerely yours, Pavel Odintsov



More information about the NANOG mailing list