Nicolai <nicolai+misc () chocolatine ! org> wrote : > On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > For number of years I had in my /var/unbound/etc/unbound.conf line > > > > do-tcp: no > > > To make things worse I was blocking port TCP port 53. > > Just curious, why did you do that?
When I start using Unbound on OpenBSD it was not the part of the base. There was not such a thing as the default unbound.conf file. I vividly remember reading NLnet Labs Documentation three full days before deciding on my defaults. Even once Unbound became the part of the base, (IIRC 5.7) the defaults were not carved in stone. They changed quite a bit over the time. As of the port blocking unfortunately I am old enough to remember this post http://cr.yp.to/djbdns/tcp.html#why and the remark that TCP is only needed for records larger than 512 bytes. "You want to publish record sets larger than 512 bytes. (This is almost always a mistake.)" I had no need for TCP port 53 to be open. Until month and a half ago things worked as expected and I have more important things to do than to fix things which don't appear to be broken. The following https://www.openbsd.org/faq/pf/ is also evolving. It has been almost 15 years since the OpenBSD became my daily driver and I would swear (but I am not going to look through Internet archive) that there was a time when UDP port 53 was the only open domain service in the minimal working example. > > On my authoritative servers roughly 1 in 1000 queries are over TCP, even > though no answers are over 512 bytes. Like most people, I don't use > DNSSEC, and unlike most people, I do use DNSCurve. > I try to stay away from a universal quantification (a professional deformation). I do use DNSSEC more or less since it became available. I used it before the time it became default in unbound.conf file of OpenBSD. That is an example of the OpenBSD unbound.conf default which actually changed not so long time ago. > I've seen "in the wild" authoritative servers that always set TC=1 but > that's exceedingly rare and a bad idea for general use. > > If you block 53/udp then your life will change for the worse a LOT > faster than if you merely block 53/tcp, but both are used, and both > should be allowed. Blocking either will lead to downtime. > > If you don't understand the defaults then leave them be. Put your > energy into fixing things that are visibly broken. > That is exactly the reason that I kept 53/tcp closed past it useful shelf life. I actually have more interesting things to do than fixing the stuff which are only marginally important for my life. > > Just a related PSA: please don't block ICMP either. It's important, > necessary, and good. I am not blocking and I have never blocked it although I do have some restrictions in place since I read the first edition of the book of PF. As you know the book is overdue for 4th edition. As you see the only constant in life is change. Cheers, Predrag > > Nicolai
