|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: using TCP53 for DNS
On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote: * Patrick W. Gilmore:At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers."To their name servers"? I think you mean "from their caching resolvers to 53/TCP on other hosts". Either. Both. I hope not as well, but people have posted here that they are doing so. Which is why I am asking. :-)Is this common?Hopefully not. Resolvers MUST be able to make TCP connections to other name servers. I am interested in how many name servers - caching or authoritative - are filtering incoming and/or outgoing TCP port 53.Does anyone have stats on this (roots, GTLDs, other big name server farms)?What kind of stats? I might be able to provide some statistics about TC flag usage, but I doubt that this data is interesting. _Personally_ I am most interested in what percentage of caching name servers are incapable (either because of filters, software limitations, or any other reason) of making TCP queries. More generally, I am interested in how many name servers are filtering TCP53 in any direction. -- TTFN, patrick
|