How to reduce the number of IP address returned when resolving a big round robin DNS entry
Joseph S D Yao
jsdy at center.osis.gov
Thu Nov 30 20:18:42 UTC 2006
Why was this sent to both the mailing-list address and the newsgroup
list for the mailing list? ;-(
On Tue, Nov 28, 2006 at 11:03:08AM +0100, besnard michel wrote:
...
> i'm facing "message truncated" bit problem ; my BIND server send back
> 29 RRs to my DNS client. But not all my DNS client accept this bit and
> use TCP instead (normal) ; for the moment i do not accept TCP
> (firewalled and not load balance, need to check BIND configuration...
> to make). So i reduce the number of entries in my big IN A round robin
> entrie. I think it's the best solution for security : DDoS attack. So
> i try to used UDP only for DNS client.
...
Four things.
(1) This is one reason why you must NOT block TCP port 53 in your
firewall.
(2) You should reduce the number of IP addresses. You cannot get 29
responses in a standard packet, and you can't make a GOOD name server
return less than the full truth. And if you start using a lying name
server, you will get what you deserve - lies.
(3) I was about to say something about keeping all of the names short,
but of course in an A query there is only one name. Skip this one.
(4) EDNS allows larger packet sizes.
--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the bind-users
mailing list