tcp/udp, clarification please

Brian Salomaki brian at
Thu Oct 11 19:58:00 UTC 2001

TCP traffice *needs* to go through the firewall to the internet, not just to 
the other nameserver.  If a client/resolver anywhere on the internet queries 
your server, and gets a truncated response, then it will retry the query 
using TCP.  If TCP isn't enabled, then that client will not be able to 
properly resolve names hosted by your server.  In practice, if you're doing 
very small-scale DNS, then you may not run into this issue, but if you are 
intent on blocking TCP traffic, you're not going to find people particularly 
eager to help you if you ever have problems.  Our stance is that TCP is 
enabled, period.  There's no good reason to disable it, but there are many 
good reasons to leave it enabled.  The most we can do is tell you to enable 
TCP, and we've already done that more times than we probably should have.  If 
you don't enable it, then I suppose that's your problem; we're not going to 
break into your firewall and try to open up TCP traffic on port 53.

On Thursday 11 October 2001 11:43 am, Eoin Miller wrote:
> brad... the DNS servers can talk to each other using TCP no problem, *ONLY*
> the rest of the world is blocked from using anything other than UDP, the
> DNS servers can use TSIG no problem, TCP would ONLY INCOMING TCP requests
> would be blocked at the firewall, on the DMZ the TCP traffic would flow
> freely back and forth between NS1 and NS2.
> "Brad Knowles" <brad.knowles at> wrote in message
> news:9q4d61$6mg at
> > At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
> > >  how would having no TCP access to my DNS servers prevent adoption of
> better
> > >  security tools?
> >
> > Because advanced DNS security measures like TSIG and DNSSEC
> > make the packets so large that they are almost certainly guaranteed
> > to be too big to fit into a single UDP packet?
> >
> > >                   my zone transfers would still be going over TCP
> because i
> > >  have a firewall/DMZ setup, and behind the firewall TCP is allowed to
> > >  transfer between the boxes, but to the outside world only UDP is
> accessable,
> > This is fundamentally the wrong way to do it.  Allow both TCP
> > and UDP through to your nameserver, and then use the mechanisms built
> > into the nameserver software (e.g., BIND) to restrict who is/is not
> > allowed to perform a zone transfer.
> >
> >
> > If you choose to configure your nameserver in any other
> > fashion, you're welcome to support the thing entirely and completely
> > on your own, but please don't ask anyone else in the world for any
> > help.
> >
> >
> > And once again, I must ask you to stop lying about your
> > return e-mail address, and causing e-mail replies to be sent back to
> > the US Federal Trade Commission.  If anything, by this action, you
> > are as bad as (or worse) a criminal than all the spammers out there.
> >
> > If you continue to participate in this illegal activity, then
> > I will be forced to contact the appropriate people at RCN and begin
> > proceedings to have your account terminated.
> >
> > --
> > Brad Knowles, <brad.knowles at>
> >
> > H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
> > Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
> > MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
> > wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
> > dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
> > uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

Brian Salomaki
Gambit Design Internet Services
110 E. State St., Suite 18, Kennett Square, PA 19348

More information about the bind-users mailing list