On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
> I think that in many cases it is not that the named version doesn't support
> randomization, but rather that they / their firewall group believes that "DNS
> should only be allowed on port 53 (and UDP, natch)".
The actual problem being that
> From: "Dobbins, Roland"
> The actual problem being that the DNS servers oughtn't to be behind
> a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I suggested it.
Confidentiality Notice:
This electronic message and a
On 2013-04-26, at 08:11, wbr...@e1b.org wrote:
>> From: "Dobbins, Roland"
>
>> The actual problem being that the DNS servers oughtn't to be behind
>> a firewall in the first place.
>
> Can you elaborate on your statement? I can guess what the reaction around
> here would be if I suggested i
Hi,
Also can someone explain why tcp53 should be allowed on the firewalls if dns is
behind a firewall?
And why auditors do not like tcp53 open to public?
-Original Message-
From: dns-operations-boun...@lists.dns-oarc.net
[mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of
Joe Abley (jabley) writes:
>
> The number of stateful firewalls that can happily handle occasional flows of
> up to 100,000 flows per second two/from individual devices are few. "Yours
> probably isn't one of them."
Corollary: whatever device you'll be putting in front of the DNS server
On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
Truncate mode.
> And why auditors do not like tcp53 open to public?
'Security' misinformation spread by firewall vendors
On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:
> The number of stateful firewalls that can happily handle occasional flows of
> up to 100,000 flows per second two/from individual devices are few. "Yours
> probably isn't one of them."
I've seen 3mb/sec of spoofed SYN-flood take down a stateful f
On Apr 26, 2013, at 7:29 PM, Phil Regnauld wrote:
> In general, vendors of attack mitigation equipment rarely advise you about
> what you'll need in the future, only what they can sell you now.
+1.
The architecture should be designed for horizontal scalability from the outset.
---
"Cihan SUBASI \(GARANTI TEKNOLOJI\)" wrote on
04/26/2013 08:24:01 AM:
> Also can someone explain why tcp53 should be allowed on the
> firewalls if dns is behind a firewall?
Because your authoritative server may return a truncated response
indicating the client should retry over TCP.
> And w
-Original Message-
From: , Roland
Date: Friday, April 26, 2013 8:33 AM
To: "dns-operations@lists.dns-oarc.net List"
Subject: Re: [dns-operations] DNS Issue
>
>On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
>
>> Also can someone explain why tcp53 should be allowed o
On Apr 26, 2013, at 8:24 AM, "Cihan SUBASI \(GARANTI TEKNOLOJI\)"
wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
EDNS0
> And why auditors do not like tcp53 open to public?
Because someone told them the wrong thing and they don't
On Apr 26, 2013, at 4:32 AM, "Dobbins, Roland" wrote:
>
> On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
>
>> I think that in many cases it is not that the named version doesn't support
>> randomization, but rather that they / their firewall group believes that
>> "DNS should only be all
On Fri, 26 Apr 2013 12:24:01 +
"Cihan SUBASI (GARANTI TEKNOLOJI)" wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls
> if dns is behind a firewall?
DNS over TCP is not just for zone transfers. Many legitimate queries
and answers, will be carried over TCP. Usuall
> From: Jared Mauch
> Because someone told them the wrong thing and they don't know any
> difference. Just because they're an auditor doesn't mean they are
> clued. Simple thing would be to show them a dns query that requires
> tcp, such as:
Would you show anything to a doctor prescribing bloo
Good timing...
On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
>
> And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be b
15 matches
Mail list logo
