North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: using TCP53 for DNS

  • From: Christopher L. Morrow
  • Date: Tue Apr 26 17:16:57 2005

On Tue, 26 Apr 2005, Florian Weimer wrote:

> * Christopher L. Morrow:
> > its a both directions thing. Some folks dropped tcp/53 TO their AUTH
> > servers to protect against AXFR's from folks not their normal secondaries.
> Ugh.  And they didn't think something like "permit tcp any any eq 53
> established" was necessary?

that only helps for outbound from the server :( not: "Hey, this response
is going to be too big, come back on TCP!" :(

> >> Hopefully not.  Resolvers MUST be able to make TCP connections to
> >> other name servers.
> >
> > It seems that what might be more common is resolver code not handling the
> > truncate request properly :(
> Caching resolvers or stub resolvers?  Caching resolvers would be quite
> surprising, but you never know.

I've seen Windows DNS servers misbehave in this way as well as some
firewalls performing DNS cache/proxy for clients internal to
enterprises... (the ms boxen doing it was cache servers of course)

> Certainly, there are some applications which cannot cope with large RR
> sets (qmail comes to my mind).

oh, that has to suck for email delivery, eh? :(