Hi Brett,
Thanks for the quick answer
See below
> -----Original Message-----
> From: Brett Lymn [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 04 July, 2001 9:20 AM
> To: Guy Pazi
> Cc: [EMAIL PROTECTED]
> Subject: Re: blocking dns
>
>
> According to Guy Pazi:
> >
> >I keep on hearing in newsgroups as well as in person that blocking dns
> >traffic over tcp is a good idea.
> >
>
> Blocking tcp dns is NOT a good idea. Anyone who advocates it does not
> know how DNS works and should be shot.
I agree with you (though I'm not sure about the shooting). But tcp dns IS
blocked, and WIDELY blocked around the world.
I'm trying to figure out how wide is it.
> A lot of people think that DNS
> only uses TCP for zone transfers. This is simply not true. If a DNS
> record is too large to fit into a single UDP packet then DNS will use
> TCP to return the record. If you want DNS to work correctly all the
> time you need to allow TCP connections too. If you are worried about
> unauthorised zone transfers then use a modern DNS daemon and set it up
> correctly.
>
> --
> ==================================================================
> =============
> Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
> ==================================================================
> =============
>
>
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
