[80149] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Tue Apr 26 15:07:02 2005
In-Reply-To: <87pswhwf5v.fsf@deneb.enyo.de>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Tue, 26 Apr 2005 15:04:25 -0400
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote:
> * Patrick W. Gilmore:
>
>> At least one DoS mitigation box uses TCP53 to "protect" name
>> servers. Personally I thought this was a pretty slick trick, but it
>> appears to have caused a lot of problems. From the thread (certainly
>> not a scientific sampling), many people seem to be filtering port 53
>> TCP to their name servers.
>>
>
> "To their name servers"? I think you mean "from their caching
> resolvers to 53/TCP on other hosts".
Either. Both.
>> Is this common?
>
> Hopefully not. Resolvers MUST be able to make TCP connections to
> other name servers.
I hope not as well, but people have posted here that they are doing
so. Which is why I am asking. :-)
>> Does anyone have stats on this (roots, GTLDs, other big name server
>> farms)?
>
> What kind of stats? I might be able to provide some statistics about
> TC flag usage, but I doubt that this data is interesting.
I am interested in how many name servers - caching or authoritative -
are filtering incoming and/or outgoing TCP port 53.
_Personally_ I am most interested in what percentage of caching name
servers are incapable (either because of filters, software
limitations, or any other reason) of making TCP queries.
More generally, I am interested in how many name servers are
filtering TCP53 in any direction.
--
TTFN,
patrick
