On Fri, 9 Feb 2001, Ron Ryan wrote:
> I wouldn't recommend allowing tcp 53 unless you absolutely have to and then
> only with a trusted DNS server. TCP is normally used for zone transfers and
> you don't want to give away that information.
TCP is also used for larger than 512-byte answers and cases where UDP
fails (such as high traffic situations where UDP may be dropped by routing
equipment.)
It's in the protocol, turning off zone transfers is the *correct* way to
handle that issue, anything else may give you significant and sporadic
trouble (For instance one set of AOL query responses used not to fit in a
UDP response, it may have been their MXs- not exactly a great situation to
set up for your users if mail to people on AOL is a business need.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
