* James Miller ([EMAIL PROTECTED]) wrote:If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this:
It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram.
In fact the limit is even much lower, namely 512 bytes (a UDP datagram has a 16-bit length field). But whether responses of your server will have to be truncated is entirely under your control and many sites don't have RRs that will cause more than a 512 byte response to be used.
Cheers, Tobias
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
