On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no
> To make things worse I was blocking port TCP port 53. Just curious, why did you do that? On my authoritative servers roughly 1 in 1000 queries are over TCP, even though no answers are over 512 bytes. Like most people, I don't use DNSSEC, and unlike most people, I do use DNSCurve. I've seen "in the wild" authoritative servers that always set TC=1 but that's exceedingly rare and a bad idea for general use. If you block 53/udp then your life will change for the worse a LOT faster than if you merely block 53/tcp, but both are used, and both should be allowed. Blocking either will lead to downtime. If you don't understand the defaults then leave them be. Put your energy into fixing things that are visibly broken. Just a related PSA: please don't block ICMP either. It's important, necessary, and good. Nicolai
