I believe DNS uses TCP in certain circumstances. If I recall correctly, if the request to the DNS server generates a reply that's too big for UDP, it will use TCP instead. If you block TCP, you'll see strange behavior from your DNS server - it'll work sometimes but not others. Your internal clients are probably doing perfectly normal DNS queries.
Run a packet sniffer with a good analyzer tool and check. I think Ethereal can decode any valid DNS requests. > -----Original Message----- > From: Carl R Diliberto [mailto:cdiliberto@;hotmail.com] > Sent: Wednesday, October 30, 2002 5:46 AM > To: security-basics > Subject: TCP DNS requests > > > We are reporting TCP based DNS requests to one of our DNS > servers coming > from internal, client IP addresses. My manager would like to > block the TCP > packets. What or why would their be random TCP packets? We monitored > several clients and it appears it only needs UDP. > > Thanks > Carl >