[Pdns-users] DNS Requirements - Packet Type Allowance/Responses/Settings

bert hubert bert.hubert at netherlabs.nl
Mon Jan 3 19:53:14 UTC 2011

On Mon, Jan 03, 2011 at 02:27:22PM -0500, Morgan Osborne wrote:
> Does anyone have a specific list of the required packet types (and response settings) needed for DNS servers to fully operate on the net?
>  I know UDP is a must, but more to the point, are ICMP (ping, tracert) responses required for people/internet browsers to use your DNS?


This question is not very PowerDNS specific, but the answer is rarely
written out anywhere. 

You will need UDP/53, TCP/53. In addition, you will need to allow UDP
fragments, since these are needed in the brave new world of DNSSEC.

Also make sure that you can pass UDP answers of >512 bytes. Some firewalls
are setup to block these as a security hazard.

In order for the fragments to work as intended, you should also have a clear
path for ICMP 'need fragment' messages, as these allow for so called Path
MTU Probing.

And while we are at it, please also add IPv6! With the impending
'ipv4ocalypse', the time to act is now. IPv6 needs some ICMP messages to
basically function, so make sure you don't block ICMPv6.

So, while you can get away with only allowing 'UDP/53', you'll need all the
rest of it to be fully ready for DNSSEC & IPv6!

Good luck!


More information about the Pdns-users mailing list