17 Nov
2014
17 Nov
'14
5:49 p.m.
4. Do you block non-UDP DNS requests or rate-limit requests?
Yes
Why? RFC5966 DNS Transport over TCP - Implementation Requirements You make it very hard for DNSSEC
5. Anything else you block/filter on your DNS servers?
block fragmented packets
Why? You then block EDNS0, which DNSSEC uses. (UDP packets up to 4096 bytes, then TCP) /Anders