North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: using TCP53 for DNS
On Tue, 26 Apr 2005, Florian Weimer wrote: > * Christopher L. Morrow: > > > its a both directions thing. Some folks dropped tcp/53 TO their AUTH > > servers to protect against AXFR's from folks not their normal secondaries. > > Ugh. And they didn't think something like "permit tcp any any eq 53 > established" was necessary? > that only helps for outbound from the server :( not: "Hey, this response is going to be too big, come back on TCP!" :( > >> Hopefully not. Resolvers MUST be able to make TCP connections to > >> other name servers. > > > > It seems that what might be more common is resolver code not handling the > > truncate request properly :( > > Caching resolvers or stub resolvers? Caching resolvers would be quite > surprising, but you never know. I've seen Windows DNS servers misbehave in this way as well as some firewalls performing DNS cache/proxy for clients internal to enterprises... (the ms boxen doing it was cache servers of course) > > Certainly, there are some applications which cannot cope with large RR > sets (qmail comes to my mind). > oh, that has to suck for email delivery, eh? :(
|