Hi all,
I'm wondering...
I keep on hearing in newsgroups as well as in person that blocking dns
traffic over tcp is a good idea.
I understand the idea of blocking incoming tcp connections, i.e. a tcp
connection issued by an external resolver to a local NS, but why should I
block outgoing tcp dns traffic. What's the risk?
Blocking dns tcp connections seems like a solution for those who want to
block zone transfers. But it also block the local resolver's ability to
retrieve long dns replies (over 512b) from external NSs.
Isn't it sufficient to block incoming tcp connections. This seems to be like
a simple task in a firewall.
Can it be because of a firewall's default dns configuration is blocking tcp
both-ways? in such case a not well trained administrator will see dns is
working (as most queries are short enough to fit udp) and leave it as is?
What widespread firewalls are using such default? How wide is the use of
such two-way-tcp-dns filter in the real world?
Thanks
Guy
winmail.dat
