North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: large organization nameservers sending icmp packets to dns servers.
Then most are incredibly stupid.All things being equal (which they're usually not) you could use the ACK response time of the TCP handshake if they've got TCP DNS resolution available. Though again most don't for security reasons...
Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted.
In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems.