ECN, DNS and Firewalls

• Previous message (by thread): CenturyLink
• Next message (by thread): ECN, DNS and Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are major operators that still have STUPID firewall settings
in front of DNS servers that drop SYN packets with ECE and CWR set
17 years after ECN was specified.

Do you really want to add a second to EVERY DNS lookup that needs
to use TCP?  Modern OS actually attempt to use ECN by default.  DNS
is time critical enough without introducing unnecessary delays.

If you have signed zones then TCP requests are almost certainly being
made to your servers.

EVERYONE TEST YOUR SERVERS FROM OUTSIDE YOUR NETWORK AND FIX THE BROKEN
FIREWALLS THAT ARE FOUND.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): CenturyLink
• Next message (by thread): ECN, DNS and Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]