On Tue, 26 Apr 2005, Florian Weimer wrote:
* Patrick W. Gilmore:
At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers.
"To their name servers"? I think you mean "from their caching resolvers to 53/TCP on other hosts".
its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries. Obviously this is from before bind8+'s capability to acl. Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness'....
Is this common?
Hopefully not. Resolvers MUST be able to make TCP connections to other name servers.
It seems that what might be more common is resolver code not handling the truncate request properly :( That seemed to be the majority of the problems last time we ran into this problem :( -Chris