nanog mailing list archives
Re: DNS problems to RoadRunner - tcp vs udp
From: Scott McGrath <mcgrath () fas harvard edu>
Date: Sat, 14 Jun 2008 16:40:10 -0400
Not to toss flammables onto the pyre. BUT there is a large difference from what the RFC's allow and common practice. In our shop TCP is blocked to all but authoratative secondaries as TCP is sinply too easy to DoS a DNS server with. We simply don't need a few thousand drones clogging the TCP connection table all trying to do zone transfers ( yes it happened and logs show drones are still trying )
For a long time there has been a effective practice of UDP == resolution requests TCP == zone transfersIt would have been better if a separate port had been defined for zone transfers as that would obviate the need for a application layer gateway to allow TCP transfers so that zone transfers can be blocked and resolution requests allowed for now all TCP is blocked.
Now just because someone has a bright idea they drag out a 20 y/o RFC and say SEE, SEE you must allow this because the RFC says so all the while ignoring the 20 years of operational discipline that RFC was written when the internet was like the quad at college everyone knew one and other and we were all working towards a common goal of interoperability and open systems , These days the net is more like a seedy waterfront after midnight where criminal gangs are waiting to ambush the unwary and consequently networks need to be operated from that standpoint.
At the University networking level it is extremely difficult as we need to maintain a open network as much as possible but protect our infrastructure services so that they have 5 nines of availability back in the day a few small hosts would serve DNS nicely and we did not have people trying to take them down and/or infecting local hosts and attempting DHCP starvation attacks. And no we are not at the 5 nines level but we are working on it.
- Scott Randy Bush wrote:
If my server responded to TCP queries from anyone other than a secondary server, I would be VERY concerned.you may want to read the specs randy
Current thread:
- Re: DNS problems to RoadRunner - tcp vs udp, (continued)
- Re: DNS problems to RoadRunner - tcp vs udp Justin Shore (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Justin Shore (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Robert E. Seastrom (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Simon Leinen (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Bill Owens (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Jon Kibler (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Tony Rall (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp John Kristoff (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Sean Donelan (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mike Lewinski (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mark Andrews (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Michael Sinatra (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Florian Weimer (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)