nanog mailing list archives
Re: using TCP53 for DNS
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Tue, 26 Apr 2005 19:01:47 +0000 (GMT)
On Tue, 26 Apr 2005, Florian Weimer wrote:
* Patrick W. Gilmore:At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers."To their name servers"? I think you mean "from their caching resolvers to 53/TCP on other hosts".
its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Obviously this is from before bind8+'s capability to acl. Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness'....
Is this common?Hopefully not. Resolvers MUST be able to make TCP connections to other name servers.
It seems that what might be more common is resolver code not handling the truncate request properly :( That seemed to be the majority of the problems last time we ran into this problem :( -Chris
Current thread:
- using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Nils Ketelsen (Apr 28)