On Tue, Mar 15, 2011 at 01:08:57PM -0500, Martin McCormick wrote: > Is there a recommended set of firewall rules that insure that all > necessary DNS traffic can enter and leave, even the larger > packets that result from dns-sec? > > We want port 53 traffic from anywhere, in this case and > can send it anywhere, and want to be sure that no port 53 > traffic is being lost.
Many people say "port 53" without specifying that DNS queries need both UDP port 53 and TCP port 53 for larger queries. Also, not that ipfw checks this, but many firewalls come with large UDP packets blocked, this breaking EDNS0. Although there is no firm upper limit, there is a suggested upper limit of 4096 bytes for EDNS0. -- /*********************************************************************\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*********************************************************************/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
