nanog mailing list archives
Re: using TCP53 for DNS
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 26 Apr 2005 15:04:25 -0400
On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote:
* Patrick W. Gilmore:At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers."To their name servers"? I think you mean "from their caching resolvers to 53/TCP on other hosts".
Either. Both.
Is this common?Hopefully not. Resolvers MUST be able to make TCP connections to other name servers.
I hope not as well, but people have posted here that they are doing so. Which is why I am asking. :-)
Does anyone have stats on this (roots, GTLDs, other big name server farms)?What kind of stats? I might be able to provide some statistics about TC flag usage, but I doubt that this data is interesting.
I am interested in how many name servers - caching or authoritative - are filtering incoming and/or outgoing TCP port 53.
_Personally_ I am most interested in what percentage of caching name servers are incapable (either because of filters, software limitations, or any other reason) of making TCP queries.
More generally, I am interested in how many name servers are filtering TCP53 in any direction.
-- TTFN, patrick
Current thread:
- using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Nils Ketelsen (Apr 28)