Patrick W. Gilmore wrote:
In the thread about ns*.worldnic.com, many people were complaining about DNS responses/queries on TCP port 53.
At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers.
I know that many people to block 53/TCP to their nameservers or from their resolvers. Firewall configs are widely based on rumours ("I've heard DNS runs on UDP/53"), not based on protocol definitions. The problem is, that blocking TCP/53 outgoing from your resolver will work in 99% (wild guess) of all cases and therefore if it does not work for resolving manyrecords.example.com it obiviously is the fault of example.com. Many "security experts" believe that 53/TCP is only used for zone transfers. Nils