On Tue, 26 Apr 2005, Florian Weimer wrote: > * Patrick W. Gilmore: > > At least one DoS mitigation box uses TCP53 to "protect" name > > servers. Personally I thought this was a pretty slick trick, but it > > appears to have caused a lot of problems. From the thread (certainly > > not a scientific sampling), many people seem to be filtering port 53 > > TCP to their name servers. > > "To their name servers"? I think you mean "from their caching > resolvers to 53/TCP on other hosts".
its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Obviously this is from before bind8+'s capability to acl. Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness'.... > > > Is this common? > > Hopefully not. Resolvers MUST be able to make TCP connections to > other name servers. It seems that what might be more common is resolver code not handling the truncate request properly :( That seemed to be the majority of the problems last time we ran into this problem :( -Chris