On Sun, Aug 10, 2008 at 01:06:06PM -0700, Chris Paul wrote: > brett watson wrote: > >>Hey authority DNS server operators. Can you make a change to your > >>servers to always allow TCP client connections? Would this be > >>difficult? What would be the harm?
> >SYN flooding? > from your clients? We ways of knowing people on our local network are > doing this type of thing and turn them off at the switch today. Why are > you are doing dns recursion for people outside your network? The question isn't whether to offer TCP/53 up at the recursive server. The issue is that for you to use TCP/53 from your recursive server, it has to be offered up at the authoritative end. The authoritative server operators have to offer TCP/53 and the firewall administrators between the recursive server and the authoritative servers have to allow the traffic. -rob