Unfortunately, this approach may be subject to semi-random failures, because it embodies a common misconception about how DNS works.
A DNS server will use TCP instead of UDP to return the results of a query if the size of the result exceeds some threshold value, even if the original query was not a zone transfer request. For many simple domains, this may never happen in normal operation, but it's not safe to assume that all domains have this property. A properly-configured all-purpose DNS server needs access to both 53/udp and 53/tcp. The correct way to block zone transfers is in the DNS server software config, not the firewall. David Gillett > -----Original Message----- > From: Charlie Winckless [mailto:[EMAIL PROTECTED] > Sent: June 18, 2003 16:27 > To: [EMAIL PROTECTED] > Subject: RE: DNS Records > > Zone transfers happen on 53/TCP, rather than the 53/UDP that > is used for typical lookups. > > As such, if your DNS server is behind a firewall you have > the option of layered security. > > You can configure your DNS server as below -- to only allow > zone transfers from known servers (those which serve as > secondarys for the domains that that server is authoritative > for at a minimum) and only allow 53/TCP connections from > those systems. > > Just in case. :) > > - -- Charlie --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------