[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS Lookup - Filter "localhost"

Subject: DNS Lookup - Filter "localhost"
From: drc at virtualized.org (David Conrad)
Date: Mon, 17 Nov 2014 16:46:03 -0800
In-reply-to: <[email protected]>
References: <CA+GZS2be1UwOmVvaNYinForRxJ9qu=+ALcvf4uL4_TBLsRzevg@mail.gmail.com> <[email protected]>

>> 3. Do you block >512 Bytes DNS requests?

How many > 512 byte DNS requests are people seeing?

Perhaps the requester meant > 512 byte DNS responses?

Blocking > 512 byte responses would be ... unfortunate.

>> 4. Do you block non-UDP DNS requests or rate-limit requests?
> Yes

I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS is a bad idea. As RFC 5966 states: "... it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts."

> block anycast/broadcast source address packets

How do you know if a source address is an anycast address?

> block fragmented packets

Why would you want to block fragmented packets?

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141117/7b49a0f5/attachment.pgp>

References:
- DNS Lookup - Filter "localhost"
  - From: jradke at canbytel.com (Radke, Justin)
- DNS Lookup - Filter "localhost"
  - From: list at satchell.net (Stephen Satchell)

Prev by Date: A case against vendor-locking optical modules
Next by Date: DNS Lookup - Filter "localhost"
Previous by thread: DNS Lookup - Filter "localhost"
Next by thread: DNS Lookup - Filter "localhost"
Index(es):
- Date
- Thread