[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Best practice on TCP replies for ANY queries
- Subject: Best practice on TCP replies for ANY queries
- From: cvicente.lists at gmail.com (Carlos Vicente)
- Date: Wed, 11 Dec 2013 17:04:40 -0500
- In-reply-to: <CALo9H1abJY0_G6YPGkhF6KWtLhBTpDxmOM++GvDGvA_UhG=Agg@mail.gmail.com>
- References: <CAJ0+aXZ5kC=ngBYdZbK2A+d296uVotdyTHBii4NgJTtbdyGhDw@mail.gmail.com> <[email protected]> <CAJ0+aXZgYTFLzga-yTHyb-J_gWDOSAxd9-bY7eCvp2AivuqJzg@mail.gmail.com> <CALo9H1abJY0_G6YPGkhF6KWtLhBTpDxmOM++GvDGvA_UhG=Agg@mail.gmail.com>
https://kb.isc.org/article/AA-01000
On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin <arturo.servin at gmail.com>wrote:
> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
>
> AFAIK, bind has a way to do it.
>
> .as
>
>
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me at anuragbhatia.com>
> wrote:
> > Hi ML
> >
> >
> >
> > Yeah I can understand. Even DNSSEC will have issues with it which makes
> me
> > worry about rule even today.
> >
> >
> > On Wed, Dec 11, 2013 at 11:49 PM, ML <ml at kenweb.org> wrote:
> >
> >> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >> >
> >> > I am sure I am not first person experiencing this issue. Curious to
> hear
> >> > how you are managing it. Also under what circumstances I can get a
> >> > legitimate TCP query on port 53 whose reply exceeds a basic limit of
> less
> >> > then 1000 bytes?
> >> >
> >> >
> >> >
> >>
> >> I'm not a DNS guru so I don't have an exact answer. However my gut
> >> feeling is that putting in a place a rule to drop or rate limit DNS
> >> replies greater than X bytes is probably going to come back to bite you
> >> in the future.
> >>
> >> No one can predict the future of what will constitute legitimate DNS
> >> traffic.
> >>
> >>
> >
> >
> > --
> >
> >
> > Anurag Bhatia
> > anuragbhatia.com
> >
> > Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> > Twitter<https://twitter.com/anurag_bhatia>
> > Skype: anuragbhatia.com
>
>