Blocking TCP
Danny Mayer
mayer at gis.net
Tue Nov 6 23:36:28 UTC 2001
At 02:22 PM 11/6/01, Jim Reid wrote:
> >>>>> "Tilo" == Tilo Lutz <TiloLutz at gmx.de> writes:
>
> Tilo> I'm using bind9 I've read in a Firewall book TCP is only
> Tilo> used to do zonetransfers. So I only allow the secondary DNS
> Tilo> to do zonetransfers. But since that many request via TCP
> Tilo> are blocked by my firewall. Is it OK blocking these
> Tilo> requests or ist it "unhealthy" ?
>
>Preventing TCP queries is simply wrong. In the DNS TCP is not just
>used for zone transfers.
In addition, TCP is just for the zone transfer itself. A slave also needs
to do
a regular UDP query for the SOA record to see if the serial number has changed.
If it can't do that it won't attempt a zone transfer.
Danny
More information about the bind-users
mailing list