* John Kristoff wrote:
And why auditors do not like tcp53 open to public?
They may have an outdated, naive view of what should be open and
what shouldn't be? Show them the above and ask them why. I'd be
curious what the response is.
We have never seen TCP/53 in public beside strange
We've seen large companies' sysadmins being adamant that their firewall setup
was correct and that we didn't know DNS .. .. even though every single article
and test result proved otherwise ..
Never underestimate stupidity and ignorance :)
Mr Michele Neylon
Blacknight Solutions ♞
Hosting
* Joe Abley:
The assumption is that firewall means device that keeps
state. This could be a firewall, or a NAT, or an in-line DPI
device, or something similar. We're not talking about stateless
packet filters.
I think you still can't serve UDP over IPv6 without per-client sate,
keeping both
On May 1, 2013, at 9:40 PM, Florian Weimer wrote:
I wonder when this statefullness of IPv6 UDP traffic will cause practical
problems,
One rather suspects that there are many more implications to moving
fragmentation to the endpoint nodes which have yet to be fully understood (for
example,
-Original Message-
From: Michele Neylon :: Blacknight mich...@blacknight.com
Date: Wednesday, May 1, 2013 8:21 AM
To: Lutz Donnerhacke l...@iks-jena.de
Cc: dns-operati...@mail.dns-oarc.net dns-operati...@mail.dns-oarc.net
Subject: Re: [dns-operations] DNS Issue
We've seen large companies
Florian Weimer f...@deneb.enyo.de wrote:
I think you still can't serve UDP over IPv6 without per-client sate,
keeping both full RFC conformance and interoperability with the
existing client population. Pre-fragmentation to 1280 or so bytes
isn't enough, you also have to generate atomic
* Tony Finch:
Florian Weimer f...@deneb.enyo.de wrote:
I think you still can't serve UDP over IPv6 without per-client sate,
keeping both full RFC conformance and interoperability with the
existing client population. Pre-fragmentation to 1280 or so bytes
isn't enough, you also have to
Tony Finch wrote:
... don't fragment and restrict the EDNS buffer size to 1280. I'm
somewhat amazed that DNS-over-fragmented-UDP works as well as it does.
See also
https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be-doing-keep-things-working
and:
In message alpine.lsu.2.00.1305011825160.19...@hermes-2.csi.cam.ac.uk, Tony F
inch writes:
Florian Weimer f...@deneb.enyo.de wrote:
I think you still can't serve UDP over IPv6 without per-client sate,
keeping both full RFC conformance and interoperability with the
existing client
On Apr 26, 2013, at 8:24, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
Hi,
Also can someone explain why tcp53 should be allowed on the firewalls if dns
is behind a firewall?
In addition to other already posted reasons, TCP isn't susceptible to
reflection attacks. (FWIW.)
And why auditors
On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
I think that in many cases it is not that the named version doesn't support
randomization, but rather that they / their firewall group believes that DNS
should only be allowed on port 53 (and UDP, natch).
The actual problem being that the
From: Dobbins, Roland rdobb...@arbor.net
The actual problem being that the DNS servers oughtn't to be behind
a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I suggested it.
Confidentiality Notice:
This electronic
On 2013-04-26, at 08:11, wbr...@e1b.org wrote:
From: Dobbins, Roland rdobb...@arbor.net
The actual problem being that the DNS servers oughtn't to be behind
a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I
Of wbr...@e1b.org
Sent: Friday, April 26, 2013 3:11 PM
To: Dobbins, Roland
Cc: dns-operations@lists.dns-oarc.net List;
dns-operations-boun...@lists.dns-oarc.net
Subject: Re: [dns-operations] DNS Issue
From: Dobbins, Roland rdobb...@arbor.net
The actual problem being that the DNS servers oughtn't
Joe Abley (jabley) writes:
The number of stateful firewalls that can happily handle occasional flows of
up to 100,000 flows per second two/from individual devices are few. Yours
probably isn't one of them.
Corollary: whatever device you'll be putting in front of the DNS servers
On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
Also can someone explain why tcp53 should be allowed on the firewalls if dns
is behind a firewall?
Truncate mode.
And why auditors do not like tcp53 open to public?
'Security' misinformation spread by firewall vendors
On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:
The number of stateful firewalls that can happily handle occasional flows of
up to 100,000 flows per second two/from individual devices are few. Yours
probably isn't one of them.
I've seen 3mb/sec of spoofed SYN-flood take down a stateful
On Apr 26, 2013, at 7:29 PM, Phil Regnauld wrote:
In general, vendors of attack mitigation equipment rarely advise you about
what you'll need in the future, only what they can sell you now.
+1.
The architecture should be designed for horizontal scalability from the outset.
On Apr 26, 2013, at 4:32 AM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
I think that in many cases it is not that the named version doesn't support
randomization, but rather that they / their firewall group believes that
DNS should only
On Fri, 26 Apr 2013 12:24:01 +
Cihan SUBASI (GARANTI TEKNOLOJI) cih...@garanti.com.tr wrote:
Also can someone explain why tcp53 should be allowed on the firewalls
if dns is behind a firewall?
DNS over TCP is not just for zone transfers. Many legitimate queries
and answers, will be carried
From: Jared Mauch ja...@puck.nether.net
Because someone told them the wrong thing and they don't know any
difference. Just because they're an auditor doesn't mean they are
clued. Simple thing would be to show them a dns query that requires
tcp, such as:
Would you show anything to a doctor
Good timing...
On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
Also can someone explain why tcp53 should be allowed on the firewalls if dns
is behind a firewall?
And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be
Dears
I wonder if someone can guide me in the direction for troubleshooting my DNS
issues.
I work in the regional ISP, we have to DNS servers where it works fine for most
of the Domain names but it cannot resolve some others, like dyn.com.
When I try to do dig + trace , below is the output,
On 2013-04-24, Samir Abidali samir.abid...@gorannet.net sent:
I wonder if someone can guide me in the direction for
troubleshooting my DNS issues.
I work in the regional ISP, we have to DNS servers where it
works fine for most of the Domain names but it cannot resolve
some others, like
On 2013/04/24, at 09:06, Samir Abidali wrote:
I wonder if someone can guide me in the direction for troubleshooting my DNS
issues.
I work in the regional ISP, we have to DNS servers where it works fine for
most of the Domain names but it cannot resolve some others, like dyn.com.
I wasn't
On Wed, 24 Apr 2013, Chip Marshall wrote:
Are you doing query source port randomization?
https://www.dns-oarc.net/oarc/services/porttest
I have been hearing more reports of people in the last two weeks that
DNS queries originating from port 53 are getting blocked. slashdot.org
was one of
Paul Wouters wrote:
I have been hearing more reports of people in the last two weeks that
DNS queries originating from port 53 are getting blocked. slashdot.org
was one of those domains that started failing when your recursing name
server is configured to use a query port of 53.
We've seen
27 matches
Mail list logo