nanog mailing list archives
Re: DNS Lookup - Filter "localhost"
From: David Conrad <drc () virtualized org>
Date: Mon, 17 Nov 2014 16:46:03 -0800
3. Do you block >512 Bytes DNS requests?
How many > 512 byte DNS requests are people seeing? Perhaps the requester meant > 512 byte DNS responses? Blocking > 512 byte responses would be ... unfortunate.
4. Do you block non-UDP DNS requests or rate-limit requests?Yes
I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS is a bad idea. As RFC 5966 states: "... it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts."
block anycast/broadcast source address packets
How do you know if a source address is an anycast address?
block fragmented packets
Why would you want to block fragmented packets? Regards, -drc
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- DNS Lookup - Filter "localhost" Radke, Justin (Nov 17)
- Re: DNS Lookup - Filter "localhost" Stephen Satchell (Nov 17)
- Re: DNS Lookup - Filter "localhost" Anders Löwinger (Nov 17)
- Re: DNS Lookup - Filter "localhost" David Conrad (Nov 17)
- Re: DNS Lookup - Filter "localhost" Tony Finch (Nov 18)
- Re: DNS Lookup - Filter "localhost" Stephen Satchell (Nov 17)