Blocking TCP

[Barry Margolin]

In article <9s98fd$n8f at pub3.rc.vix.com>, Tilo Lutz <TiloLutz at gmx.de> wrote:
>I'm using bind9
>I've read in a Firewall book TCP is only used to do
>zonetransfers.

The book is not precise.  Ordinary DNS queries can use TCP, but they
usually don't.

>So I only allow the secondary DNS to do zonetransfers.
>But since that many request via TCP are blocked by my
>firewall.
>Is it OK blocking these requests or ist it "unhealthy" ?

You should allow them.

If you want to limit who can do zone transfers, use the allow-transfer
option in named.conf.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.