nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: large organization nameservers sending icmp packets to dns servers.

From: "Jason J. W. Williams" <williamsjj () digitar com>
Date: Tue, 7 Aug 2007 12:19:45 -0600
Hi Donald,

I'm not prepared to call it stupid, but you're right it can cause issues.

-J
--------------------
Sent via BlackBerry

----- Original Message -----
From: Donald Stahl <don () calis blacksun org>
To: Jason J. W. Williams
Cc: Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu>; John Levine <johnl () iecc com>; nanog () nanog org <nanog 
() nanog org>
Sent: Tue Aug 07 12:14:11 2007
Subject: RE: large organization nameservers sending icmp packets to dns servers.


All things being equal (which they're usually not) you could use the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...

Then most are incredibly stupid.

Several anti DoS utilities force unknown hosts to initiate a query via 
TCP in order to be whitelisted. If the host can't perform a TCP query then 
they get blacklisted.

In addition, any UDP truncated response needs to be retried via TCP- 
blocking it would cause a variety of problems.

-Don

!SIG:46b8b686156533728213125!
Previous By Date Next
Previous By Thread Next

Current thread: