[167430] in North American Network Operators' Group
Re: Best practice on TCP replies for ANY queries
daemon@ATHENA.MIT.EDU (Arturo Servin)
Wed Dec 11 14:18:17 2013
In-Reply-To: <CAJ0+aXZgYTFLzga-yTHyb-J_gWDOSAxd9-bY7eCvp2AivuqJzg@mail.gmail.com>
From: Arturo Servin <arturo.servin@gmail.com>
Date: Wed, 11 Dec 2013 17:17:33 -0200
To: Anurag Bhatia <me@anuragbhatia.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I think is better idea to rate-limit your responses rather than
limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
> Hi ML
>
>
>
> Yeah I can understand. Even DNSSEC will have issues with it which makes me
> worry about rule even today.
>
>
> On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
>
>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>> >
>> > I am sure I am not first person experiencing this issue. Curious to hear
>> > how you are managing it. Also under what circumstances I can get a
>> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
>> > then 1000 bytes?
>> >
>> >
>> >
>>
>> I'm not a DNS guru so I don't have an exact answer. However my gut
>> feeling is that putting in a place a rule to drop or rate limit DNS
>> replies greater than X bytes is probably going to come back to bite you
>> in the future.
>>
>> No one can predict the future of what will constitute legitimate DNS
>> traffic.
>>
>>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> Twitter<https://twitter.com/anurag_bhatia>
> Skype: anuragbhatia.com
