nanog mailing list archives
ECN, DNS and Firewalls
From: Mark Andrews <marka () isc org>
Date: Fri, 28 Dec 2018 13:35:04 +1100
There are major operators that still have STUPID firewall settings in front of DNS servers that drop SYN packets with ECE and CWR set 17 years after ECN was specified. Do you really want to add a second to EVERY DNS lookup that needs to use TCP? Modern OS actually attempt to use ECN by default. DNS is time critical enough without introducing unnecessary delays. If you have signed zones then TCP requests are almost certainly being made to your servers. EVERYONE TEST YOUR SERVERS FROM OUTSIDE YOUR NETWORK AND FIX THE BROKEN FIREWALLS THAT ARE FOUND. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- ECN, DNS and Firewalls Mark Andrews (Dec 27)
- Re: ECN, DNS and Firewalls valdis . kletnieks (Dec 27)
- Re: ECN, DNS and Firewalls Mark Andrews (Dec 27)
- Re: ECN, DNS and Firewalls valdis . kletnieks (Dec 27)