[98388] in North American Network Operators' Group
RE: large organization nameservers sending icmp packets to dns
daemon@ATHENA.MIT.EDU (Donald Stahl)
Tue Aug 7 14:20:55 2007
Date: Tue, 7 Aug 2007 14:14:11 -0400 (EDT)
From: Donald Stahl <don@calis.blacksun.org>
To: "Jason J. W. Williams" <williamsjj@digitar.com>
Cc: Valdis.Kletnieks@vt.edu, John Levine <johnl@iecc.com>, nanog@nanog.org
In-Reply-To: <D7D0907E265A834D995B9B4FC0078D4E76AD7B@aristotle.boi.corp.us.digitar.com>
Errors-To: owner-nanog@merit.edu
> All things being equal (which they're usually not) you could use the ACK
> response time of the TCP handshake if they've got TCP DNS resolution
> available. Though again most don't for security reasons...
Then most are incredibly stupid.
Several anti DoS utilities force unknown hosts to initiate a query via
TCP in order to be whitelisted. If the host can't perform a TCP query then
they get blacklisted.
In addition, any UDP truncated response needs to be retried via TCP-
blocking it would cause a variety of problems.
-Don
