Re: using TCP53 for DNS

["Patrick W. Gilmore" <patrick () ianai net>]

On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote:

> * Patrick W. Gilmore:
>
> > At least one DoS mitigation box uses TCP53 to "protect" name
> > servers.  Personally I thought this was a pretty slick trick, but it
> > appears to have caused a lot of problems.  From the thread (certainly
> > not a scientific sampling), many people seem to be filtering port 53
> > TCP to their name servers.
>
> "To their name servers"?  I think you mean "from their caching
> resolvers to 53/TCP on other hosts".

Either.  Both.


> > Is this common?
>
> Hopefully not.  Resolvers MUST be able to make TCP connections to
> other name servers.

I hope not as well, but people have posted here that they are doing  
so.  Which is why I am asking. :-)


> > Does anyone have stats on this (roots, GTLDs, other big name server
> > farms)?
>
> What kind of stats?  I might be able to provide some statistics about
> TC flag usage, but I doubt that this data is interesting.

I am interested in how many name servers - caching or authoritative -  
are filtering incoming and/or outgoing TCP port 53.

_Personally_ I am most interested in what percentage of caching name  
servers are incapable (either because of filters, software  
limitations, or any other reason) of making TCP queries.

More generally, I am interested in how many name servers are  
filtering TCP53 in any direction.

--
TTFN,
patrick