[80148] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue Apr 26 15:04:01 2005
Date: Tue, 26 Apr 2005 19:01:47 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <87pswhwf5v.fsf@deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Tue, 26 Apr 2005, Florian Weimer wrote:
> * Patrick W. Gilmore:
> > At least one DoS mitigation box uses TCP53 to "protect" name
> > servers. Personally I thought this was a pretty slick trick, but it
> > appears to have caused a lot of problems. From the thread (certainly
> > not a scientific sampling), many people seem to be filtering port 53
> > TCP to their name servers.
>
> "To their name servers"? I think you mean "from their caching
> resolvers to 53/TCP on other hosts".
its a both directions thing. Some folks dropped tcp/53 TO their AUTH
servers to protect against AXFR's from folks not their normal secondaries.
Obviously this is from before bind8+'s capability to acl. Even after I
imagine that folks left the filters in place either 'because' or 'I don't
run router acls' or 'laziness'....
>
> > Is this common?
>
> Hopefully not. Resolvers MUST be able to make TCP connections to
> other name servers.
It seems that what might be more common is resolver code not handling the
truncate request properly :( That seemed to be the majority of the
problems last time we ran into this problem :(
-Chris
