All,
Thanks for the helpful suggestions.
For what it's worth we use Cisco's CNR as we operate a MAC registration
system which controls access to our network. We allow customers to
select hostnames which are pushed into DDNS when the the system acquires
a lease.CNR has internal limits (u
Mark Andrews wrote:
Authoritative only servers need hints so that NOTIFY will
work in the general case.
Presumably that's because the authoritative server will want to look up
the RDATA (hostname) of each NS record that serves a zone for which it
is authoritative. Could you avoid
In article <[EMAIL PROTECTED]> you write:
>Sean Donelan wrote:
>
>> 1. Separate your authoritative and recursive name servers
>> 2. Recursive name servers should only get replies to their own DNS
>> queries from the Internet, they can use both UDP and TCP
>
>We've just completed a project to separ
On Jun 15, 2008, at 8:02 PM, Joe Greco wrote:
I think a real solution would be more sophisticated than this, but
it's a starting point.
In addition to the BCPs already mentioned by Sean and Nathan, a good
detection/classification/traceback system plus S/RTBH can be helpful,
and there are
> There is no call for insults on this list - Rather thought this list was
> about techincal discussions affecting all of us and keeping DNS alive
> for the majority of our customers certainly qualifies.
>
> We/I am more than aware of the DNS mechanisms and WHY there are there
> trouble is NO D
* Sean Donelan:
> Any network with a large user population probably should have separate
> DNS servers for their authoritative zones answering the Internet
> at-large and their recursive resolvers serving their user population.
It's not so much a question of network size. You absolutely must use
* Jon Kibler:
>>>From what I have read, public DNS servers should support both UDP and
>> TCP queries. TCP queries are often used when a UDP query fails, or if
>> the answer is over a certain length.
>>
>
> UDP is used for queries.
>
> TCP is used for zone transfers.
I've seen such claims count
On 15/06/2008, at 9:18 AM, Scott McGrath wrote:
Yes - we are blocking TCP too many problems with drone armies and we
started about a year ago when our DNS servers became unresponsive
for no apparent reason. Investigation showed TCP flows of hundreds
of megabits/sec and connection table ov
On 15/06/2008, at 12:45 PM, Mike Lewinski wrote:
2) The biggest drawback to separation after years of service is that
customers have come to expect their DNS changes are propagated
instantly when they are on-net. This turns out to be more of an
annoyance to us than our customers, since our
Sean Donelan wrote:
1. Separate your authoritative and recursive name servers
2. Recursive name servers should only get replies to their own DNS
queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and
recursive servers and I h
On Sat, 14 Jun 2008, Scott McGrath wrote:
Also recall we have a comittment to openess so we would like to make TCP
services available but until we have effective DNS DoS mitigation which can
work with 10Gb links It's not going to happen.
I feel your pain, but I think there may be a slight mis-
> Mostly I think that people "approaching this from a security
> perspective only" often forget that by fencing in the(ir idea of the)
> current status quo, they often prevent beneficial evolution of
> protocols as well, contributing to the Internet's "ossification".
folk do not always get the imp
Scott McGrath wrote:
There is no call for insults on this list
Insults? Where? If you feel insulted by any of the comments made on this
list by people, then you probably are indeed on the wrong list. But that
is just me.
- Rather thought this list was
about techincal discussions affecting
Jon Kibler writes:
> Also, other than "That's what the RFCs call for," why use TCP for
> data exchange instead of larger UDP packets?
TCP is more robust for large (>Path MTU) data transfers, and less
prone to spoofing.
A few months ago I sent a message to SwiNOG (like NANOG only less
North Americ
There is no call for insults on this list - Rather thought this list was
about techincal discussions affecting all of us and keeping DNS alive
for the majority of our customers certainly qualifies.
We/I am more than aware of the DNS mechanisms and WHY there are there
trouble is NO DNS server
Scott McGrath wrote:
[..]
For a long time there has been a effective practice of
UDP == resolution requests
TCP == zone transfers
WRONG. TCP is there as a fallback when the answer of the question is too
large. Zone transfer you can limit in your software. If you can't
configure your dns serv
Not to toss flammables onto the pyre.
BUT there is a large difference from what the RFC's allow and common
practice. In our shop TCP is blocked to all but authoratative
secondaries as TCP is sinply too easy to DoS a DNS server with. We
simply don't need a few thousand drones clogging the T
Jon Kibler <[EMAIL PROTECTED]> writes:
> Okay, I stand corrected. I was approaching this from a security
> perspective only, and apparently based on incorrect information.
It always puzzles me when people say things like that - it's as if
they've lost sight of the *whole point* of security being
> If my server responded to TCP queries from anyone other than a secondary
> server, I would be VERY concerned.
you may want to read the specs
randy
Justin Shore wrote:
Jon Kibler wrote:
Various hardening documents for Cisco routers specify the best practices
are to only allow 53/tcp connections to/from secondary name servers.
Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
handle UDP data connections and anything TC
Jon Kibler wrote:
Various hardening documents for Cisco routers specify the best practices
are to only allow 53/tcp connections to/from secondary name servers.
Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
handle UDP data connections and anything TCP would be denied. Fr
on the network.
> -Original Message-
> From: Jon Kibler [mailto:[EMAIL PROTECTED]
> Sent: Friday, June 13, 2008 11:52 AM
> To: Kevin Oberman
> Cc: [EMAIL PROTECTED]
> Subject: Re: DNS problems to RoadRunner - tcp vs udp
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
&
On Fri, 13 Jun 2008 14:14:55 -0400
Jon Kibler <[EMAIL PROTECTED]> wrote:
> TCP is used for zone transfers.
> If my server responded to TCP queries from anyone other than a secondary
> server, I would be VERY concerned.
I wouldn't be unless it looked like a DDoS - and it might for some that
are se
On Friday, 2008-06-13 at 14:14 AST, Jon Kibler <[EMAIL PROTECTED]>
wrote:
> UDP is used for queries.
True. But TCP can (and in some cases, has to be) used for queries also.
You are misinformed. See RFC 1035 (and others).
--
Tony Rall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Owens wrote:
> On Fri, Jun 13, 2008 at 02:14:55PM -0400, Jon Kibler wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Mark Price wrote:
>>
>>> >From what I have read, public DNS servers should support both UDP and
>>> TCP queries.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin Oberman wrote:
>
> If it does not, you should be very concerned. The RFCs (several, but
> I'll point first to good old 1122) allow either TCP or UDP to be used
> for any operation that will fit in a 512 byte transfer. (EDNS0 allows
> larger UDP
Sorry to abuse the list, but aset.com seems to have some mail blocking
issues:
<[EMAIL PROTECTED]>
(reason: 551 5.7.1 Message undeliverable. Please see:
http://bounce.trustem.net/edu.php?id=m5DIJA6U012003.0.1... not accept email
from DHCP connections with an academic institution supplied hos
On Fri, Jun 13, 2008 at 02:14:55PM -0400, Jon Kibler wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark Price wrote:
>
> >>From what I have read, public DNS servers should support both UDP and
> > TCP queries. TCP queries are often used when a UDP query fails, or if
> > the answer
> Date: Fri, 13 Jun 2008 14:14:55 -0400
> From: Jon Kibler <[EMAIL PROTECTED]>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark Price wrote:
>
> >>From what I have read, public DNS servers should support both UDP and
> > TCP queries. TCP queries are often used when a UDP query fails
Jon Kibler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Price wrote:
>From what I have read, public DNS servers should support both UDP and
TCP queries. TCP queries are often used when a UDP query fails, or if
the answer is over a certain length.
UDP is used for queries.
TCP
Jon Kibler wrote:
UDP is used for queries.
TCP is used for zone transfers.
If my server responded to TCP queries from anyone other than a secondary
server, I would be VERY concerned.
That is a common, but incorrect, assumption.
DNS responses that are larger than the MTU of a single UDP pack
On Fri, 13 Jun 2008 14:14:55 EDT, Jon Kibler said:
> UDP is used for queries.
>
> TCP is used for zone transfers.
It's also sometimes used if a reply doesn't fit in the 512 bytes for a
UDP answer and EDNS0 isn't in effect. You get a truncated UDP packet back
and re-ask the query over TCP.
pgp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Price wrote:
>>From what I have read, public DNS servers should support both UDP and
> TCP queries. TCP queries are often used when a UDP query fails, or if
> the answer is over a certain length.
>
UDP is used for queries.
TCP is used for zon
33 matches
Mail list logo
