On Sun, Aug 10, 2008 at 01:06:06PM -0700, Chris Paul wrote:
brett watson wrote:
Hey authority DNS server operators. Can you make a change to your servers to always allow TCP client connections? Would this be difficult? What would be the harm?
SYN flooding?
from your clients? We ways of knowing people on our local network are doing this type of thing and turn them off at the switch today. Why are you are doing dns recursion for people outside your network?
The question isn't whether to offer TCP/53 up at the recursive server. The issue is that for you to use TCP/53 from your recursive server, it has to be offered up at the authoritative end. The authoritative server operators have to offer TCP/53 and the firewall administrators between the recursive server and the authoritative servers have to allow the traffic. -rob