large organization nameservers sending icmp packets to dns servers.

Date: Tue, 7 Aug 2007 23:32:21 -0600
From: "Jason J. W. Williams" <>

> The answer is simple- because they are supposed to be allowed. By
> them you are breaking the agreed upon rules for the protocol. Before
> long it becomes impossible to implement new features because you can't
> sure if someone else hasn't broken something intentionally.

I don't really have a dog in this fight about TCP 53. It does seem to me
that it's a bit black and white to treat the RFCs as religious texts.
It's important to follow them wherever possible, but frankly they don't
foresee the bulk of the future security issues that usually materialize.
So if a feature of the RFC isn't working for you security-wise, I
believe it's your call to break with it there. As someone else said,
don't complain when it breaks other things as well however.

It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.

As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.

> If you don't like the rules- then change the damned protocol. Stop
> doing whatever you want and then complaining when other people
> with you.

I think its possible to disagree without calling other folks stupid...

While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)