tcp/udp, clarification please
brad.knowles at skynet.be
Thu Oct 11 15:09:37 UTC 2001
At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
> how would having no TCP access to my DNS servers prevent adoption of better
> security tools?
Because advanced DNS security measures like TSIG and DNSSEC
make the packets so large that they are almost certainly guaranteed
to be too big to fit into a single UDP packet?
> my zone transfers would still be going over TCP because i
> have a firewall/DMZ setup, and behind the firewall TCP is allowed to
> transfer between the boxes, but to the outside world only UDP is accessable,
This is fundamentally the wrong way to do it. Allow both TCP
and UDP through to your nameserver, and then use the mechanisms built
into the nameserver software (e.g., BIND) to restrict who is/is not
allowed to perform a zone transfer.
If you choose to configure your nameserver in any other
fashion, you're welcome to support the thing entirely and completely
on your own, but please don't ask anyone else in the world for any
And once again, I must ask you to stop lying about your
return e-mail address, and causing e-mail replies to be sent back to
the US Federal Trade Commission. If anything, by this action, you
are as bad as (or worse) a criminal than all the spammers out there.
If you continue to participate in this illegal activity, then
I will be forced to contact the appropriate people at RCN and begin
proceedings to have your account terminated.
Brad Knowles, <brad.knowles at skynet.be>
More information about the bind-users