Re: DNS lookup delay with centos & postfix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 26/07/2012 02:40, David McGuffey wrote:
> On Jul 25, 2012, at 21:27, "Joseph L. Casale" <jcasale@xxxxxxxxxxxxxxxxx> wrote:
>
>>> DNS lookups default to using 53/udp, and only use 53/tcp for zone
>>> transfers.  could it be 53/udp is being lost/blocked between this host
>>> and your ns1 ?
>>
>> Unfortunately that is a common misconception.
>>
>> Tcp is used far more often than "only" as stated such as for size of request
>> exceeding udp response size etc...
>>
>> Bottom line is both ports are needed, not just for zone xfers.
>>
> Except that the malware guys have figured out how to abuse port 53. Security recommendation is to block TCP unless you're running a DNS server. And also block oversize port 53 UDP packets.

Blocking oversize UDP packets is a very bad idea. EDNS is used for a lot 
of look ups these days due to DNSSEC, and so blocking oversize UDP 
packets will force you to use TCP to get many of your DNS requests.


>
> Dave M

Tris

*************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmaster@xxxxxxxx

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*************************************************************

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux