nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 7 Aug 2007 14:38:06 -0400
On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
All things being equal (which they're usually not) you could use the ACKresponse time of the TCP handshake if they've got TCP DNS resolution available. Though again most don't for security reasons...Then most are incredibly stupid.
Those are impressively harsh words.Mind if I ask what operational experience you have with name servers behind firewalls filtering TCP53? I have none, so perhaps you could enlighten us with your vast experience?
Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted.
That trick is so well known, most people turn it off since there has been more than one instance of large, well known organizations suffering spectacular failures by using it. The phrase "worse than the disease" comes to mind.
In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems.
Since we are talking about authorities here, one can control the size of ones responses.
Unless, of course, you are so incredibly stupid you can't figure out the difference between an authority and a caching server.
-- TTFN, patrick
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. Steven M. Bellovin (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. John Levine (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. John L (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Peter Dambier (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Steven M. Bellovin (Aug 06)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 09)