** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005
14:04:20 +0100
>Zone transfers are on tcp/53, DNS lookups are 53/udp, so:
That's not quite the whole story: 53/tcp is also used when the response
to a query is too big for a single UDP packet (the resolver sends a UDP
query and gets a 'truncated' UDP reply, so the resolver retries the
query using TCP) -- you should always pass both UDP and TCP for port 53
to avoid occasional obscure failures.
>pass in on $ext_if proto udp from any to $DNS port 53 keep state
>
>and if required:
>
>pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state
Dave
--
Dave Anderson
<[EMAIL PROTECTED]>
