nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: "Kevin Oberman" <oberman () es net>
Date: Wed, 08 Aug 2007 10:02:36 -0700
Date: Tue, 7 Aug 2007 23:32:21 -0600 From: "Jason J. W. Williams" <williamsjj () digitar com>The answer is simple- because they are supposed to be allowed. Bydisallowingthem you are breaking the agreed upon rules for the protocol. Before long it becomes impossible to implement new features because you can'tbesure if someone else hasn't broken something intentionally.I don't really have a dog in this fight about TCP 53. It does seem to me that it's a bit black and white to treat the RFCs as religious texts. It's important to follow them wherever possible, but frankly they don't foresee the bulk of the future security issues that usually materialize. So if a feature of the RFC isn't working for you security-wise, I believe it's your call to break with it there. As someone else said, don't complain when it breaks other things as well however.
It is worth noting that we are not talking about just RFCs here, but STD or "Internet Standards". RFCs are a variety of things, but when they become Internet Standards, they are supposed to be mandatory. That said, the STD makes opening TCP/53 non-mandatory as it is labeled as a "SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but they are only violating a strong recommendation and not a requirement. As is often pointed out, blocking port 53 will eventually almost certainly break something and I have yet to see a good argument for blocking TCP/53.
If you don't like the rules- then change the damned protocol. Stopjustdoing whatever you want and then complaining when other peopledisagreewith you.I think its possible to disagree without calling other folks stupid...
While the folks blocking or suggesting blocking TCP/53 may not be stupid, the act blocking it is. (Intelligent people do stupid things.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman () es net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Attachment:
_bin
Description:
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Roland Dobbins (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. John Kristoff (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 08)
- Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Sean Donelan (Aug 08)
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)