Hi Donald, I'm not prepared to call it stupid, but you're right it can cause issues.
-J -------------------- Sent via BlackBerry ----- Original Message ----- From: Donald Stahl <[EMAIL PROTECTED]> To: Jason J. W. Williams Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; John Levine <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: Tue Aug 07 12:14:11 2007 Subject: RE: large organization nameservers sending icmp packets to dns servers. > All things being equal (which they're usually not) you could use the ACK > response time of the TCP handshake if they've got TCP DNS resolution > available. Though again most don't for security reasons... Then most are incredibly stupid. Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted. In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems. -Don !SIG:46b8b686156533728213125!
