tcp/udp, clarification please

Brad Knowles brad.knowles at
Thu Oct 11 20:37:27 UTC 2001

At 11:43 AM -0400 2001/10/11, Eoin Miller wrote:

>  brad... the DNS servers can talk to each other using TCP no problem, *ONLY*
>  the rest of the world is blocked from using anything other than UDP, the DNS
>  servers can use TSIG no problem, TCP would ONLY INCOMING TCP requests would
>  be blocked at the firewall, on the DMZ the TCP traffic would flow freely
>  back and forth between NS1 and NS2.

	But DNSSEC is something done between your servers and the 
rest of the world, so blocking TCP still breaks that.  An it probably 
wouldn't be too much fun with IPv6 (which makes addresses much, much 
longer), either.

	However, as I previously pointed out, the real security issue 
with DNS is from *UDP* packets, not *TCP*.  Therefore, if you want to 
make your nameserver truly secure, you will turn off all UDP packets 
at your firewall to your nameserver.

	Please make sure that you do this ASAP, so as to protect 
yourself against cache poisoning, DoS, and other spoofing attacks.

	BTW, I am now filing a complaint with RCN to get your account 

Brad Knowles, <brad.knowles at>


More information about the bind-users mailing list