On Thu, 2004-09-23 at 10:34, Aleksandar Milivojevic wrote: > Theoretically (since I don't know of any such implementation), it is > perfectly legal to have resolver library that first tries TCP, and than > UDP :-P > > Of course, such approach would be waste of network resources (sending > one UDP datagram one way, and another the other way is usually at least > as fast as only establishihg new TCP connection without sending any data > through it). > > Anyhow, I don't see why are you going red when you see TCP port 53 open? > If it is possible for random internet site to fetch zone from DNS > server, it is misconfiguration of DNS server, not of the firewall. OSI > layers and all that stuff, you know ;-). it comes from the days of BIND offering up remote root exploits more often that i care to remember. not allowing TCP 53 through the firewall allowed one to get a least a couple of winks over the course of a night. > If your DNS server does not > allow you to restrict who can do zone transfers, that you should > seriously consider switching to different DNS server that does. just adding layers to the onion. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
