Re: DNS Flag Day, Friday, Feb 1st, 2019

[Mark Andrews <marka () isc org>]

> On 25 Jan 2019, at 2:14 am, Stephen Satchell <list () satchell net> wrote:
>
> On 1/23/19 8:44 PM, Mark Andrews wrote:
> > and they your firewalls don’t block well formed DNS queries (lots of
> > them do by default).
>
> My edge routers block *all* inbound DNS requests -- I was being hit by a
> ton of them at one point.  Cavaet: I don't run a DNS server that is a
> domain zone master -- I use a DNS service for that.  I do have a DNS
> server inside, but only to handle recursive requests from inside my network.
>
> Outbound DNS requests?  Lets them through, and responses too.

Well does your DNS service properly manage the firewall in front of their
servers?  Does the anti DoS scrubbing service they are using also pass the
well formed packets to the DNS server they are advertising?

This was about testing the servers YOU directly or indirectly advertise to
the world.  It also applies to any recursive servers.  They too need properly
handle EDNS queries in all their forms.  The test tool has a recursive mode
for testing them (genreport -R).

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org