Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today. On Wed, Dec 11, 2013 at 11:49 PM, ML <m...@kenweb.org> wrote: > On 12/11/2013 1:06 PM, Anurag Bhatia wrote: > > > > I am sure I am not first person experiencing this issue. Curious to hear > > how you are managing it. Also under what circumstances I can get a > > legitimate TCP query on port 53 whose reply exceeds a basic limit of less > > then 1000 bytes? > > > > > > > > I'm not a DNS guru so I don't have an exact answer. However my gut > feeling is that putting in a place a rule to drop or rate limit DNS > replies greater than X bytes is probably going to come back to bite you > in the future. > > No one can predict the future of what will constitute legitimate DNS > traffic. > > -- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
