On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
I think that in many cases it is not that the named version doesn't support
randomization, but rather that they / their firewall group believes that DNS
should only be allowed on port 53 (and UDP, natch).
The actual problem being that the
From: Dobbins, Roland rdobb...@arbor.net
The actual problem being that the DNS servers oughtn't to be behind
a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I suggested it.
Confidentiality Notice:
This electronic
On 2013-04-26, at 08:11, wbr...@e1b.org wrote:
From: Dobbins, Roland rdobb...@arbor.net
The actual problem being that the DNS servers oughtn't to be behind
a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I
Hi,
Also can someone explain why tcp53 should be allowed on the firewalls if dns is
behind a firewall?
And why auditors do not like tcp53 open to public?
-Original Message-
From: dns-operations-boun...@lists.dns-oarc.net
[mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf
Joe Abley (jabley) writes:
The number of stateful firewalls that can happily handle occasional flows of
up to 100,000 flows per second two/from individual devices are few. Yours
probably isn't one of them.
Corollary: whatever device you'll be putting in front of the DNS servers
On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
Also can someone explain why tcp53 should be allowed on the firewalls if dns
is behind a firewall?
Truncate mode.
And why auditors do not like tcp53 open to public?
'Security' misinformation spread by firewall vendors
On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:
The number of stateful firewalls that can happily handle occasional flows of
up to 100,000 flows per second two/from individual devices are few. Yours
probably isn't one of them.
I've seen 3mb/sec of spoofed SYN-flood take down a stateful
On Apr 26, 2013, at 7:29 PM, Phil Regnauld wrote:
In general, vendors of attack mitigation equipment rarely advise you about
what you'll need in the future, only what they can sell you now.
+1.
The architecture should be designed for horizontal scalability from the outset.
On Apr 26, 2013, at 4:32 AM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
I think that in many cases it is not that the named version doesn't support
randomization, but rather that they / their firewall group believes that
DNS should only
On Fri, 26 Apr 2013 12:24:01 +
Cihan SUBASI (GARANTI TEKNOLOJI) cih...@garanti.com.tr wrote:
Also can someone explain why tcp53 should be allowed on the firewalls
if dns is behind a firewall?
DNS over TCP is not just for zone transfers. Many legitimate queries
and answers, will be carried
From: Jared Mauch ja...@puck.nether.net
Because someone told them the wrong thing and they don't know any
difference. Just because they're an auditor doesn't mean they are
clued. Simple thing would be to show them a dns query that requires
tcp, such as:
Would you show anything to a doctor
Good timing...
On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
Also can someone explain why tcp53 should be allowed on the firewalls if dns
is behind a firewall?
And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be
12 matches
Mail list logo