|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: dnscache
From: Brad Knowles (blk
skynet.be)Date: Wed Jun 14 2000 - 12:18:39 CDT
- Next message: Mipam: "trouble chrooting"
- Previous message: Admin Mailing Lists: "mysql configs"
- In reply to: Bennett Todd: "Re: dnscache"
- Next in thread: Bennett Todd: "Re: dnscache"
- Reply: Brad Knowles: "Re: dnscache"
- Reply: Bennett Todd: "Re: dnscache"
- Reply: D. J. Bernstein: "Re: dnscache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 12:45 PM -0400 2000/6/14, Bennett Todd wrote:
> Yup. So if you're absolutely and totally committed to serving up
> authoritative answers exceeding 512 bytes, and don't give a damn
> about who all that breaks (lots of people filter tcp/53 since it's
> never needed to reach well-run sites, only sites administered by
> people who like to play stupid games with their DNS) then by all
> means run an axfrdns daemon off your tinydns-data file to serve the
> data via TCP. It's supported, it works, that does not make it a good
> idea.
That does not make runnning tinydns or anything else written by
The Great Omniscient and Omnipotent Dan a good idea.
If you've written O'Reilly books on the subject of the DNS, or if
you've written major RFCs on the subject, or you have been a key
player in getting those things done, then you have a right to comment
on this subject. If you haven't, then you haven't.
Me, I figure I know enough about it to know that you have to be
able to serve the DNS with both UDP and TCP, and blocking TCP on port
53 is a really sad way to try to do security-by-obscurity to prevent
people from doing zone transfers against you, etc....
This is the way the real world works, and if you fail to
recognize that, then you've got much larger problems.
If someone is so incredibly stupid enough to try to block
outbound TCP to port 53 on their own network because no "well
administered" site could possibly need TCP except for zone transfers,
well then they get what they deserve.
Alternatively, their customers could wake up and figure out that
there are real reasons why you might want to deal with large DNS
responses, and perhaps decide to choose to use an alternative ISP
that may be a bit more forward-thinking.
Heck, they might even want to check out BINDv9 for themselves,
and discover the wonders of eDNS, a fully multi-threaded nameserver
(and resolver library), a nameserver and resolver library that
constantly check for security holes and abuse attempts (through
assertions), and maybe play around with making their DNS data
cryptographically secure.
-- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, <blk
- Next message: Mipam: "trouble chrooting"
- Previous message: Admin Mailing Lists: "mysql configs"
- In reply to: Bennett Todd: "Re: dnscache"
- Next in thread: Bennett Todd: "Re: dnscache"
- Reply: Brad Knowles: "Re: dnscache"
- Reply: Bennett Todd: "Re: dnscache"
- Reply: D. J. Bernstein: "Re: dnscache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]