Am 07. Dez, 2014 schwätzte Michael Butash so:

> You'll want to allow tcp/53 if doing any sort of public dns - anything 
> greater than 1500 bytes (ie most domain-keys//spf records), and also any

True, if you're doing those things, you might have large dns payloads and
need tcp. If you think they cause problems rather than fixing them, then
...

> anomaly mitigation gear (the things that keep 400gb DDoS at bay) use that to

What would anomaly mitigation gear be doing to cause large dns payloads?
That's a serious question as I don't even know what anomaly mitigation
gear is.

> figure our if you're real or not.  Blocking tcp for dns is not a good idea as 
> a whole, it's just RFC-compliant behavior things expect.

As I recall, the RFC only specifies tcp for large payloads. Don't allow
them and tcp isn't necessary.

ciao,

der.hans

> -mb
>
>
> On 12/07/2014 09:17 PM, der.hans wrote:
>> BTW, also firewall TCP port 53 to only allow connections from your slaves
>> unless you're certain you really want it open.
>> 
>> ciao,
>> 
>> der.hans
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Don't step in front of speeding cars, don't eat explosives
#  and don't use m$ LookOut :). - der.hans