On Sun, Sep 20, 2020 at 10:17:47PM -0400, Predrag Punosevac wrote: > Nicolai <nicolai+misc () chocolatine ! org> wrote : > > > On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > > > For number of years I had in my /var/unbound/etc/unbound.conf line > > > > > > do-tcp: no > > > > > To make things worse I was blocking port TCP port 53. > > > > Just curious, why did you do that? > > When I start using Unbound on OpenBSD it was not the part of the base. > There was not such a thing as the default unbound.conf file. I vividly > remember reading NLnet Labs Documentation three full days before > deciding on my defaults. Even once Unbound became the part of the base, > (IIRC 5.7) the defaults were not carved in stone. They changed quite a > bit over the time.
unbound itslef has tcp switched on by default. > > As of the port blocking unfortunately I am old enough to remember this > post > > http://cr.yp.to/djbdns/tcp.html#why > > and the remark that TCP is only needed for records larger than 512 > bytes. > > "You want to publish record sets larger than 512 bytes. (This is almost > always a mistake.)" > > I had no need for TCP port 53 to be open. Until month and a half ago > things worked as expected and I have more important things to do than to > fix things which don't appear to be broken. He's talking about publishing here. You are talking abbout resolving. You do not have control about what sizes of record sets other are publishing. djb is both respected and an outlier. Never take his opinion for granted without consulting other sources. Just one example: dig +dnssec akamai.com txt > > The following > > https://www.openbsd.org/faq/pf/ > > is also evolving. It has been almost 15 years since the OpenBSD became > my daily driver and I would swear (but I am not going to look through > Internet archive) that there was a time when UDP port 53 was the only > open domain service in the minimal working example. I think if you look at the CVS history of the default pf.conf you'll see that outgoing traffic was never blocked by default. -Otto > > > > > > On my authoritative servers roughly 1 in 1000 queries are over TCP, even > > though no answers are over 512 bytes. Like most people, I don't use > > DNSSEC, and unlike most people, I do use DNSCurve. > > > > I try to stay away from a universal quantification (a professional > deformation). I do use DNSSEC more or less since it became available. I > used it before the time it became default in unbound.conf file of > OpenBSD. That is an example of the OpenBSD unbound.conf default which > actually changed not so long time ago. > > > > > I've seen "in the wild" authoritative servers that always set TC=1 but > > that's exceedingly rare and a bad idea for general use. > > > > If you block 53/udp then your life will change for the worse a LOT > > faster than if you merely block 53/tcp, but both are used, and both > > should be allowed. Blocking either will lead to downtime. > > > > If you don't understand the defaults then leave them be. Put your > > energy into fixing things that are visibly broken. > > > > That is exactly the reason that I kept 53/tcp closed past it useful > shelf life. I actually have more interesting things to do than fixing > the stuff which are only marginally important for my life. > > > > > > Just a related PSA: please don't block ICMP either. It's important, > > necessary, and good. > > I am not blocking and I have never blocked it although I do have some > restrictions in place since I read the first edition of the book of PF. > As you know the book is overdue for 4th edition. As you see the only > constant in life is change. > > > Cheers, > Predrag > > > > > Nicolai >
