On Thu, 2004-09-23 at 07:23, Nick Drage wrote: > On Thu, Sep 23, 2004 at 01:09:43PM +0200, Samuel DÃaz GarcÃa wrote: > > For DNS query only UDP is necesary, not TCP. > > Heh, that's such a common misconception that I almost mentioned it in my > original email. i surprised you didn't...as it comes up here every time DNS is mentioned. and you're 100% right about it being a misconception. > Most DNS queries take place over UDP, however if the > reply to the query is especially large then a new TCP connection is > opened between the client and server. find me a response to a client resolver request that doesn't fit in a single UDP packet, and i'll stop seeing red every time i see someone recommend allowing TCP 53 from any IP to their DNS server (*). > Also zone transfers take place > over TCP IIRC, it depends what kind of functionality the DNS server will > be providing. TCP 53 is for zone transfers. there is no reason to allow TCP from any IP's other then your slave servers. i also recommend ACL-ing zone tranfers in your DNS server configuration as well. (*) the biggest response i've come across that i can recall is an MX record lookup for earthlink.net, which is about 540 bytes on the wire and still "fits" in a single UDP packet. people that manage DNS servers that respond with messages of this size are aware that many people that they want receiving these answers will not allow TCP 53 in through their firewall and act accordingly. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
