Hallo Alejandro G. Belluscio <[EMAIL PROTECTED]> schrieb: > Hello David, > Wednesday, February 19, 2003, 11:29:47 AM, you wrote: > David> DNS sometimes also uses TCP on port 53 for large packets, so you > David> probably want to allow that as well. > I don't think so. DNS uses TCP only for zone transfers.
Are you sure about that? In RFC 1035 you can read: -----8<----- The Internet supports name server access using TCP [RFC-793] on server port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP port 53 (decimal). ----->8----- Packets longer then 512 Byte can be truncated or the client ask over TCP, is well explained in: "W. Richard Stevens - TCP/IP Illustrated, Volume 1: The Protocols" I know, that the most of "normal" tcp-trafic ist transported by UDP, and TCP is left for the zone transfers. I also have block 53/tcp on my packetfilter, but just to be exact, DNS also works over TCP. > 2) No software has the security track record of BIND (ok, may be MS, The 2 versions of bind that I have seen in OpenBSD aren't that bad. But for the version we have nerver seen in OpenBSD thats true. best regards Maik
