DNS Lookup - Filter "localhost"
David Conrad
drc at virtualized.org
Tue Nov 18 00:46:03 UTC 2014
>> 3. Do you block >512 Bytes DNS requests?
How many > 512 byte DNS requests are people seeing?
Perhaps the requester meant > 512 byte DNS responses?
Blocking > 512 byte responses would be ... unfortunate.
>> 4. Do you block non-UDP DNS requests or rate-limit requests?
> Yes
I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS is a bad idea. As RFC 5966 states: "... it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts."
> block anycast/broadcast source address packets
How do you know if a source address is an anycast address?
> block fragmented packets
Why would you want to block fragmented packets?
Regards,
-drc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141117/7b49a0f5/attachment.sig>
More information about the NANOG
mailing list