find me a response to a client resolver request that doesn't fit in a single UDP packet, and i'll stop seeing red every time i see someone recommend allowing TCP 53 from any IP to their DNS server (*).
Theoretically (since I don't know of any such implementation), it is perfectly legal to have resolver library that first tries TCP, and than UDP :-P
Of course, such approach would be waste of network resources (sending one UDP datagram one way, and another the other way is usually at least as fast as only establishihg new TCP connection without sending any data through it).
Anyhow, I don't see why are you going red when you see TCP port 53 open? If it is possible for random internet site to fetch zone from DNS server, it is misconfiguration of DNS server, not of the firewall. OSI layers and all that stuff, you know ;-). If your DNS server does not allow you to restrict who can do zone transfers, that you should seriously consider switching to different DNS server that does. It is the same as if you were to restrict one directory on HTTP server to only certain range of IP addresses, and than blame it on firewall when you misconfigure HTTP server.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
