North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: large organization nameservers sending icmp packets to dns servers.
- From: Jason J. W. Williams
- Date: Tue Aug 07 14:38:17 2007
Title: Re: large organization nameservers sending icmp packets to dns servers.
Hi Donald,
I'm not prepared to call it stupid, but you're right it can cause issues.
-J
--------------------
Sent via BlackBerry
----- Original Message -----
From: Donald Stahl <[email protected]>
To: Jason J. W. Williams
Cc: [email protected] <[email protected]>; John Levine <[email protected]>; [email protected] <[email protected]>
Sent: Tue Aug 07 12:14:11 2007
Subject: RE: large organization nameservers sending icmp packets to dns servers.
> All things being equal (which they're usually not) you could use the ACK
> response time of the TCP handshake if they've got TCP DNS resolution
> available. Though again most don't for security reasons...
Then most are incredibly stupid.
Several anti DoS utilities force unknown hosts to initiate a query via
TCP in order to be whitelisted. If the host can't perform a TCP query then
they get blacklisted.
In addition, any UDP truncated response needs to be retried via TCP-
blocking it would cause a variety of problems.
-Don
!SIG:46b8b686156533728213125!
|