FW: maybe a dumb idea on how to fix the dns problems i don't know....
-----Original Message----- From: Tomas L. Byrnes Sent: Saturday, August 09, 2008 9:01 PM To: 'Chris Paul' Subject: RE: maybe a dumb idea on how to fix the dns problems i don't know.... Actually, the RFCs (RFC-1034 3.7RFC-1035 4.2, ref RFC-793; Implementation spec in RFC-1035 4.2.2; RFC-2136 2.1 says TCP is "at the discretion of the requestor";) say TCP "Should" be supported. It's optional, but recommended. The source of the guidance to block TCP is misguided "security" folks who confuse self-denial of service with policy enforcement. When security breaks functionality, it usually fails to secure, as users circumvent it, in my not so humble experience. BTW: In RFC 1034 5.3.1 PVM tipped to some of the issues that we are now dealing with, under the title of "Stub Resolvers".
-----Original Message----- From: Chris Paul [mailto:chris.paul@rexconsulting.net] Sent: Saturday, August 09, 2008 3:49 PM Cc: nanog@merit.edu Subject: Re: maybe a dumb idea on how to fix the dns problems i don't know....
Paul Vixie wrote:
because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit. if you don't want to do TCP then you can rule out the TC bit and AXFR and just not do TCP, and you'll be dead-to-rights within
Hey authority DNS server operators. Can you make a change to your servers to always allow TCP client connections? Would this be difficult? What would be the harm? the various DNS protocol RFCs.
what RFCs forbid TCP for clients? I thought TCP was an option for clients. I'm not spending the rest of my sunday though reading rfcs....... and sure as hell not joining another list because to tell you the truth, I don't really care as much about the typical angry Sunday list poster (talk about redundant statement....)
thanks for the thoughts, though Paul. I'll leave the rest of this discussion (should it exist) to others in their forum of choice.... I'm thinking of nice insalade caprese with true mozarella di bufalo right now.... now That's A Sunday!"
CP
-- Chris Paul Rex Consulting, Inc 157 Rainbow Drive #5703, Livingston, TX 77399-1057 email: chris.paul@rexconsulting.net web: http://www.rexconsulting.net phone, direct: +1, 831.706.4211 phone, toll-free: +1, 888.403.8996
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Rex Consulting, Inc. is a California Corporation.
P Please don't print this e-mail, unless you really need to.
Tomas L. Byrnes wrote:
-----Original Message----- From: Tomas L. Byrnes Sent: Saturday, August 09, 2008 9:01 PM To: 'Chris Paul' Subject: RE: maybe a dumb idea on how to fix the dns problems i don't know....
Actually, the RFCs (RFC-1034 3.7RFC-1035 4.2, ref RFC-793; Implementation spec in RFC-1035 4.2.2; RFC-2136 2.1 says TCP is "at the discretion of the requestor";) say TCP "Should" be supported. It's optional, but recommended.
The source of the guidance to block TCP is misguided "security" folks who confuse self-denial of service with policy enforcement.
Thanks Tomas for doing the research I wasn't about to do on a a weekend.... Dear North American Network Operators, See it isn't a dumb idea after all? Y'all get coding, patching and firewall rule-set changing now! Let's please stop using UDP for DNS resolution. THAT was the dumb idea really... (I know; you old folks that created this wonderful thing didn't think of that back then.... blah blah blah). And SYN flooding? That happens to port 80 and port 25 too right? Most web and mail servers listen to the WORLD, whereas most DNS servers doing recursion do so only for the local network where SYN flooding is less of a risk The experts don't seem to be able to post any rebuttals to my idea in decent enough English to answer why we should not do this. Perhaps I'm just too dumb to understand all you zen masters out there with your desire to use bad grammar, lack of punctuation and capitalization and the most complicated language to obfuscate solutions.... Oh and, ha ha, even though I'm just the ldap dude, I'll take all the fame and money (paypal or send to address below) for coming up with the simple solution to this dns problem. If you really want, my Mom will send some cookies to the next blackhat. (My Grandma taught her how very well but she is dead.) There's really nothing more complicated about this problem than baking cookies, I don't think, but you have to go through many generations iteration and experiment ion to get it right. And sometimes the answers are simple once they are found (hey look what I found out: see what this bicarbonate of soda does!). Oh hey yesterday was Saturday! Duh! Bonus for me!!! . Why on earth did I check my email? I usually don't on weekends at all. I'm sorry...... This change would not even be hard to implement globally, would it? Just SIMPLE code changes, patches, and firewall changes. (OK maybe the last part is not so easy but that to me is just lack of competence out there.) Best, CP -- Chris Paul Rex Consulting, Inc 157 Rainbow Drive #5703, Livingston, TX 77399-1057 email: chris.paul@rexconsulting.net web: http://www.rexconsulting.net phone, direct: +1, 831.706.4211 phone, toll-free: +1, 888.403.8996 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Rex Consulting, Inc. is a California Corporation. P Please don't print this e-mail, unless you really need to.
participants (2)
-
Chris Paul
-
Tomas L. Byrnes