[106701] in North American Network Operators' Group
Re: maybe a dumb idea on how to fix the dns problems i don't know....
daemon@ATHENA.MIT.EDU (Rob Payne)
Sun Aug 10 17:06:13 2008
Date: Sun, 10 Aug 2008 17:05:04 -0400
From: Rob Payne <rnspayne@the-paynes.com>
To: Chris Paul <chris.paul@rexconsulting.net>
In-Reply-To: <489F4A2E.1040803@rexconsulting.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Sun, Aug 10, 2008 at 01:06:06PM -0700, Chris Paul wrote:
> brett watson wrote:
> >>Hey authority DNS server operators. Can you make a change to your
> >>servers to always allow TCP client connections? Would this be
> >>difficult? What would be the harm?
> >SYN flooding?
> from your clients? We ways of knowing people on our local network are
> doing this type of thing and turn them off at the switch today. Why are
> you are doing dns recursion for people outside your network?
The question isn't whether to offer TCP/53 up at the recursive
server. The issue is that for you to use TCP/53 from your recursive
server, it has to be offered up at the authoritative end.
The authoritative server operators have to offer TCP/53 and the
firewall administrators between the recursive server and the
authoritative servers have to allow the traffic.
-rob
