[167466] in North American Network Operators' Group
Re: Best practice on TCP replies for ANY queries
daemon@ATHENA.MIT.EDU (Tony Finch)
Thu Dec 12 08:29:59 2013
Date: Thu, 12 Dec 2013 13:29:45 +0000
From: Tony Finch <dot@dotat.at>
To: Anurag Bhatia <me@anuragbhatia.com>
In-Reply-To: <CAJ0+aXZ5kC=ngBYdZbK2A+d296uVotdyTHBii4NgJTtbdyGhDw@mail.gmail.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Anurag Bhatia <me@anuragbhatia.com> wrote:
>
> Now I see presence of some (legitimate) DNS forwarders and hence I don't
> wish to limit queries.
You are going to have to change your mind about this one. Open recursive
resolvers are a really bad idea, unless you can afford a lot of time and
cleverness to manage the abuse. Get your users to choose a more
appropriate name server, and restrict your name server to your local
networks.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
