Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15922
| Path | csiph.com!news.swapon.de!aioe.org!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | "@lbutlr" <kremels@kreme.com> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: DNS security, amplification attacks and recursion |
| Date | Tue, 7 Jul 2020 14:05:53 -0600 |
| Lines | 31 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.635.1594152326.942.bind-users@lists.isc.org> (permalink) |
| References | <7adcb06a-4d03-7362-6f4a-29b3fb223697@nixmagic.com> <alpine.DEB.2.20.2007071426460.21235@grey.csi.cam.ac.uk> <638f7210-c14f-1d6c-9443-a8356d1d71e0@nixmagic.com> <4C831C03-AA36-4A82-977F-ADC6843A43CF@kreme.com> |
| NNTP-Posting-Host | lists.isc.org |
| Content-Type | text/plain; charset=us-ascii |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1594152361 19937 149.20.1.60 (7 Jul 2020 20:06:01 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users <bind-users@lists.isc.org> |
| Return-Path | <kremels@kreme.com> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| In-Reply-To | <638f7210-c14f-1d6c-9443-a8356d1d71e0@nixmagic.com> |
| X-Mailer | Apple Mail (2.3645.0.6.2.3) |
| X-Spam-Status | No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <4C831C03-AA36-4A82-977F-ADC6843A43CF@kreme.com> |
| X-Mailman-Original-References | <7adcb06a-4d03-7362-6f4a-29b3fb223697@nixmagic.com> <alpine.DEB.2.20.2007071426460.21235@grey.csi.cam.ac.uk> <638f7210-c14f-1d6c-9443-a8356d1d71e0@nixmagic.com> |
| Xref | csiph.com comp.protocols.dns.bind:15922 |
Show key headers only | View raw
On 07 Jul 2020, at 12:06, Michael De Roover <isc@nixmagic.com> wrote: > On 7/7/20 4:06 PM, Tony Finch wrote: > >> max-udp-size 1420; >> https://dnsflagday.net/2020/ > Interesting, I wasn't aware of this campaign. I don't know if I'm knowledgeable enough on UDP to be able to make educated decisions on this myself but I look forward to its eventual release. The URL has a good explanation of this setting and it looks like 1420 is a more than adequate packet size. From the page: An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers. Sunce 1420 is still well under the MTU on most connections (usually 1500, sometimes 1492) and well above the required, I suspect this is fine as well. I've gone ahead and added to to my named.conf with a comment linking to Tony's message. -- "Are you pondering what I'm pondering?" "I think so, Mr. Brain, but if the sun'll come out tomorrow, what's it doing right now?"
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: DNS security, amplification attacks and recursion "@lbutlr" <kremels@kreme.com> - 2020-07-07 14:05 -0600
csiph-web