Great info! Thank you very much. ------Original Message------ From: bert hubert To: Morgan K. Osborne Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] DNS Requirements - Packet TypeAllowance/Responses/Settings Sent: Jan 3, 2011 11:53 AM
On Mon, Jan 03, 2011 at 02:27:22PM -0500, Morgan Osborne wrote: > Does anyone have a specific list of the required packet types (and response > settings) needed for DNS servers to fully operate on the net? > > I know UDP is a must, but more to the point, are ICMP (ping, tracert) > responses required for people/internet browsers to use your DNS? Morgan, This question is not very PowerDNS specific, but the answer is rarely written out anywhere. You will need UDP/53, TCP/53. In addition, you will need to allow UDP fragments, since these are needed in the brave new world of DNSSEC. Also make sure that you can pass UDP answers of >512 bytes. Some firewalls are setup to block these as a security hazard. In order for the fragments to work as intended, you should also have a clear path for ICMP 'need fragment' messages, as these allow for so called Path MTU Probing. And while we are at it, please also add IPv6! With the impending 'ipv4ocalypse', the time to act is now. IPv6 needs some ICMP messages to basically function, so make sure you don't block ICMPv6. So, while you can get away with only allowing 'UDP/53', you'll need all the rest of it to be fully ready for DNSSEC & IPv6! Good luck! Bert Sent from my Verizon Wireless BlackBerry _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users