[176182] in North American Network Operators' Group
Re: DNS Lookup - Filter "localhost"
daemon@ATHENA.MIT.EDU (David Conrad)
Mon Nov 17 19:46:10 2014
X-Original-To: nanog@nanog.org
From: David Conrad <drc@virtualized.org>
In-Reply-To: <546A7159.90806@satchell.net>
Date: Mon, 17 Nov 2014 16:46:03 -0800
To: Stephen Satchell <list@satchell.net>
Cc: nanog@nanog.org, "Radke, Justin" <jradke@canbytel.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_BED50DBD-51DF-42DF-850E-6C43BC07DAB6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
>> 3. Do you block >512 Bytes DNS requests?
How many > 512 byte DNS requests are people seeing?
Perhaps the requester meant > 512 byte DNS responses?
Blocking > 512 byte responses would be ... unfortunate.
>> 4. Do you block non-UDP DNS requests or rate-limit requests?
> Yes
I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS =
is a bad idea. As RFC 5966 states: "... it should be noted that failure =
to support TCP (or the blocking of DNS over TCP at the network layer) =
may result in resolution failure and/or application-level timeouts."
> block anycast/broadcast source address packets
How do you know if a source address is an anycast address?
> block fragmented packets
Why would you want to block fragmented packets?
Regards,
-drc
--Apple-Mail=_BED50DBD-51DF-42DF-850E-6C43BC07DAB6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUapbLAAoJENV6ebf0/4rXpCwH+wXqRs0dO4x+4IyvQqCg/sUM
J6zqh7hbXEg+kmvtrJp9UmqUBbPG3ej6GO+JjA99VuZ066a8sU64uDw6YbEPHHUV
AsEgI54z00d3F5HE5BbKyusW4SlxX0YRhKStYTv7M8o6hmcQJjAFuyt0bxJ49v7c
HwevCS5jp7Q338RcJogl7iPI521JAJvkAhjwlLhP+DKiLD1WJSEthbJn6w3CwUma
D2I0xH+ab6LAbeTtCfBHUoX/DoYtyHWaU5PWYpIub8J7+6FNSxBa4nn/IEnFQoEB
Gc2NPp8ij6I/iKvnr2e7OkWWeVle3SI5fSaOi7d+rJcfaDd30m/gFMumWxOvnO8=
=DR7c
-----END PGP SIGNATURE-----
--Apple-Mail=_BED50DBD-51DF-42DF-850E-6C43BC07DAB6--
