On Fri, Jul 02, 2021 at 11:12:31PM -0400, Jason Mitchell wrote: > > I think you would only need to allow inbound connections to tcp port 53 if > you were running a nameserver on your machine. You would want to make sure > that you allow outbound connections on tcp port 53 from your nameserver in > any case. Are you using your own nameserver or are you using another machine > for name resolution? >
No you think incorrectly. It doesn't matter if you are running a name server or not, if you block tcp/53 going out then you break DNS, it appears to work but fails on some domains. I did say this: > > > > 2) are you sure your rules are correct? A particularly favourite > > > > hobby-horse of mine is people blocking DNS over tcp/53 due to the > > > > totally WRONG belief that only dns zone transfers use tcp/53. This is > > > > WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet > > > > then the DNS server will reply to the client telling it to try over tcp. > > > > If your firewall doesn't allow that to happen there may be delays in > > > > name resolution which could cause the appearance that gmail is slow. I suggest that a bit of research into DNS would save you guessing. > If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver ip> > 53" will let you know if you can connect to that server on port 53. (-v = > verbose, -w 4 = 4 second timeout so you don't wait forever). If there's a > network problem the connection will timeout or you'll get an error. Here are > examples: > Yes, this would be good to try. > > And I use mail.google.com somewhat often and it goes to the same place as > gmail.com. > It didn't when I last looked, they must have relented on that sometime. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
