[105198] in North American Network Operators' Group
Re: DNS problems to RoadRunner - tcp vs udp
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Sat Jun 14 16:47:39 2008
Date: Sat, 14 Jun 2008 22:47:47 +0200
From: Jeroen Massar <jeroen@unfix.org>
To: Scott McGrath <mcgrath@fas.harvard.edu>
In-Reply-To: <48542CAA.5010503@fas.harvard.edu>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD1B629995C8D80448EA379E7
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Scott McGrath wrote:
[..]
> For a long time there has been a effective practice of
>=20
> UDP =3D=3D resolution requests
> TCP =3D=3D zone transfers
WRONG. TCP is there as a fallback when the answer of the question is too =
large. Zone transfer you can limit in your software. If you can't=20
configure your dns servers properly then don't run DNS.
Also note that botnets have much more effective ways of taking you out.
And sometimes domains actually require TCP because there are too many=20
records for a label eg http://stupid.domain.name/node/651
If you are thus blocking TCP for DNS resolution you suddenly where=20
blocking google and thus for some people "The Internet".
Also see:
http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.h=
tml
(Which was the second hit for google(EDNS0) after a link to RFC2671)
Greets,
Jeroen
--------------enigD1B629995C8D80448EA379E7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIVC52KaooUjM+fCMRAkx+AKCTACTy8gmYkUGQ8xQx3uUsqwDO7wCcD7Vs
XQo75bI0R/G9UL6ANL6lXIU=
=5fh1
-----END PGP SIGNATURE-----
--------------enigD1B629995C8D80448EA379E7--
