North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: large organization nameservers sending icmp packets to dns servers.
On Tue, 07 Aug 2007 14:38:06 EDT, "Patrick W. Gilmore" said: >> In addition, any UDP truncated response needs to be retried via >> TCP- blocking it would cause a variety of problems. > Since we are talking about authorities here, one can control the size > of ones responses. Barely. % dig aol.com txt ; <<>> DiG 9.5.0a6 <<>> aol.com txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57320 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;aol.com. IN TXT ;; ANSWER SECTION: aol.com. 218 IN TXT "v=spf1 ip4:18.104.22.168/24 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/23 ip4:184.108.40.206/24 ip4:220.127.116.11/23 ip4:18.104.22.168/24 ptr:mx.aol.com ?all" aol.com. 218 IN TXT "spf2.0/pra ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/24 ip4:184.108.40.206/23 ip4:220.127.116.11/24 ip4:18.104.22.168/23 ip4:22.214.171.124/24 ptr:mx.aol.com ?all" ;; AUTHORITY SECTION: aol.com. 439 IN NS dns-02.ns.aol.com. aol.com. 439 IN NS dns-06.ns.aol.com. aol.com. 439 IN NS dns-07.ns.aol.com. aol.com. 439 IN NS dns-01.ns.aol.com. ;; ADDITIONAL SECTION: dns-02.ns.aol.com. 158598 IN A 126.96.36.199 dns-06.ns.aol.com. 158598 IN A 188.8.131.52 ;; Query time: 4 msec ;; SERVER: 2001:468:c80:6101:213:72ff:fefc:d5cc#53(2001:468:c80:6101:213:72ff:fefc:d5cc) ;; WHEN: Tue Aug 7 15:32:36 2007 ;; MSG SIZE rcvd: 512 So tell me what they should do if they wanted to add 1 more byte to those TXT records. Say they want to start announcing IPv6 addresses too... :) They're running just a bit tight on 'authority and 'additional' they can heave over the side - they *already* don't answer with the txt records if you try to do a 'dig aol.com any' because that 512 and the 497 returned on a 'dig aol.com mx' won't fit in one 512-byte packet. > Unless, of course, you are so incredibly stupid you can't figure out > the difference between an authority and a caching server. I wish people would keep straight what direction they're doing the measurement, and for who's benefit. If *XYZ* wants to find which of their servers I'm closest to, they'll most likely be poking at my *caching* nameservers, because that's where my recursive query arrived from. So we're *not* talking about authorities here. We're talking about DNS servers that are quite possibly configured to not talk, or give only partial results via UDP, to queries coming from outside the provider's network (after all, those people probably *should* be using *their* provider's caching DNS, right?)  If they *want* to go to the added effort of digging up my PTR, and from that finding the SOA and NS and ask my *authoritative* DNS for timing info, that's their right. Of course, all 3 of my caching servers are *really close* to me netwise - but of the 5 NS entries we list, 3 are intentionally *far away*, being off-campus secondaries. Hell, they're not even in our AS. :)