nanog mailing list archives
Re: Retraining "IT" on networking myths (the cloud to the rescue!)
From: Michael Sinatra <michael () rancid berkeley edu>
Date: Wed, 08 Jun 2011 18:54:34 -0700
On 06/08/11 18:32, Jared Mauch wrote:
MYTHS: TCP/53 is only for zone transfers ICMP is a security risk/ddos avenue Internal networks must be secured with NAT A firewall is the only way to secure the perimiter In fact for IPv6, ICMP is more important vs less. Firewalls frequently harm and don't block data going out. TCP/53 is needed for EDNS.
tcp/53 is needed when EDNS is _not_ available and DNS message size exceeds 512 bytes. UDP fragments are (sometimes) necessary for EDNS.
So, that adds to your MYTHS section: Fragmented packets (like ICMP) are always a security risk and DDoS vector michael
Current thread:
- RE: World of Warcraft may begin using IPv6 on Tuesday Frank Bulk (Jun 08)
- Re: World of Warcraft may begin using IPv6 on Tuesday Ray Soucy (Jun 08)
- Re: World of Warcraft may begin using IPv6 on Tuesday Mark Andrews (Jun 08)
- Retraining "IT" on networking myths (the cloud to the rescue!) Jared Mauch (Jun 08)
- Re: Retraining "IT" on networking myths (the cloud to the rescue!) Michael Sinatra (Jun 08)
- Re: World of Warcraft may begin using IPv6 on Tuesday Mark Andrews (Jun 08)
- Re: World of Warcraft may begin using IPv6 on Tuesday Ray Soucy (Jun 08)