[80145] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Apr 26 14:48:59 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu
Date: Tue, 26 Apr 2005 20:45:16 +0200
In-Reply-To: <CEE26A72-6288-46E9-9499-386F3277B442@ianai.net> (Patrick
W. Gilmore's message of "Tue, 26 Apr 2005 12:39:09 -0400")
Errors-To: owner-nanog@merit.edu
* Patrick W. Gilmore:
> At least one DoS mitigation box uses TCP53 to "protect" name
> servers. Personally I thought this was a pretty slick trick, but it
> appears to have caused a lot of problems. From the thread (certainly
> not a scientific sampling), many people seem to be filtering port 53
> TCP to their name servers.
"To their name servers"? I think you mean "from their caching
resolvers to 53/TCP on other hosts".
> Is this common?
Hopefully not. Resolvers MUST be able to make TCP connections to
other name servers.
> Does anyone have stats on this (roots, GTLDs, other big name server
> farms)?
What kind of stats? I might be able to provide some statistics about
TC flag usage, but I doubt that this data is interesting.
