Hi, Both domain-udp and domain-tcp are required for domain lookup. As long as I restrictive the domain transfer on bind, then it is safe to set a firewall rule any->any->domain_udp,domain_tcp->accept? Regards, Norman