In message <[email protected]>, Fred Morris writes: > I just noticed that when configuring firewall rules for an AWS instance, > if "DNS" is chosen then the (only) protocol automagically filled in is > UDP. > > To get TCP, you have to create a custom TCP rule. > > When you save, the UDP one gets saved as "DNS", the TCP one stays "custom > TCP rule".
And the filtering rules break EDNS version negotiation. The nameservers themselves also need to be fixed to properly respond to unknown EDNS versions (i.e. return BADVERS rather than ignore the version in the request). e.g. 9gag.com. @205.251.193.152 (ns-408.awsdns-51.com.): dns=ok edns=ok edns1=status,version,soa edns@512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok 9gag.com. @205.251.197.14 (ns-1294.awsdns-33.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok 9gag.com. @205.251.198.137 (ns-1673.awsdns-17.co.uk.): dns=ok edns=ok edns1=status,version,soa edns@512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok 9gag.com. @205.251.194.117 (ns-629.awsdns-14.net.): dns=ok edns=ok edns1=status,version,soa edns@512=ok ednsopt=ok edns1opt=status,version,soa do=ok ednsflags=ok > -- > > Fred Morris > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
