[98390] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Tue Aug 7 14:46:47 2007
In-Reply-To: <20070807141140.X95357@calis.blacksun.org>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Tue, 7 Aug 2007 14:38:06 -0400
To: Nanog <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
>> All things being equal (which they're usually not) you could use
>> the ACK
>> response time of the TCP handshake if they've got TCP DNS resolution
>> available. Though again most don't for security reasons...
>
> Then most are incredibly stupid.
Those are impressively harsh words.
Mind if I ask what operational experience you have with name servers
behind firewalls filtering TCP53? I have none, so perhaps you could
enlighten us with your vast experience?
> Several anti DoS utilities force unknown hosts to initiate a query
> via TCP in order to be whitelisted. If the host can't perform a TCP
> query then they get blacklisted.
That trick is so well known, most people turn it off since there has
been more than one instance of large, well known organizations
suffering spectacular failures by using it. The phrase "worse than
the disease" comes to mind.
> In addition, any UDP truncated response needs to be retried via
> TCP- blocking it would cause a variety of problems.
Since we are talking about authorities here, one can control the size
of ones responses.
Unless, of course, you are so incredibly stupid you can't figure out
the difference between an authority and a caching server.
--
TTFN,
patrick
