Carl I believe that DNS lookups use UDP because the request and response can each fit into one packet. If a DNS request is for some reason larger than 512 bytes which is the maximum size for a UDP packet (RFC1035 [6]) then the client will use TCP instead. Closing this port to internal clients could therefore prevent some DNS lookups.
Why some lookups would be larger I guess would depend on the length of the domain name contained in the packet(s)? Mike Powell Barry College Wales [EMAIL PROTECTED] -----Original Message----- From: Carl R Diliberto [mailto:cdiliberto@;hotmail.com] Sent: 30 October 2002 13:46 To: security-basics Subject: TCP DNS requests We are reporting TCP based DNS requests to one of our DNS servers coming from internal, client IP addresses. My manager would like to block the TCP packets. What or why would their be random TCP packets? We monitored several clients and it appears it only needs UDP. Thanks Carl
