On 2 May 2001, at 8:03, Hiemstra, Brenno wrote:
> "There are some known problems when only allowing DNS UDP queries
> to go out your firewall. Although DNS TCP is only for zonetransfers
> it is sometimes recommended to allow DNS TCP to go out to your
> ISP DNS servers"
>
> I mean by this that DNS TCP isn't only used for zonetransfers although
> the DNS & Bind book is telling an other story. I know for sure that TCP is
> also used for DNS queries.
I can back this statement up - I use NTMail from Gordano which has a
setting to allow DNS looksups by TCP if the returned MX data is too big to fit
into a UDP response, but if DNS TCP lookups are disabled at a remote DNS
that is the primary NS for a domain I'm sending mail to this would result in
my mail server either using the incomplete UDP data to determine the MX
records to use (and if it's tried all the ones in the packet then it won't be able
to send the message if the first available mail host is a long way down the
MX response) or it won't send the message at all. And I'm sure that NTMail
isn't the only program that uses DNS TCP querying.
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate network!
http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
