|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: using TCP53 for DNS
Patrick W. Gilmore wrote:
> In the thread about ns*.worldnic.com, many people were complaining
> about DNS responses/queries on TCP port 53.
>
> At least one DoS mitigation box uses TCP53 to "protect" name servers.
> Personally I thought this was a pretty slick trick, but it appears to
> have caused a lot of problems. From the thread (certainly not a
> scientific sampling), many people seem to be filtering port 53 TCP to
> their name servers.
I know that many people to block 53/TCP to their nameservers or from
their resolvers. Firewall configs are widely based on rumours ("I've
heard DNS runs on UDP/53"), not based on protocol definitions. The
problem is, that blocking TCP/53 outgoing from your resolver will work
in 99% (wild guess) of all cases and therefore if it does not work for
resolving manyrecords.example.com it obiviously is the fault of
example.com.
Many "security experts" believe that 53/TCP is only used for zone
transfers.
Nils
|