firewalling

[Barry Margolin]

In article <ch9sfo$q3i$1 at sf1.isc.org>,
 Ed Schmollinger <schmolli at frozencrow.org> wrote:

> And of course it's not really against the rules for a resolver to use
> TCP by default.

Yes it is.  From RFC 1123:

6.1.3.2  Transport Protocols

            DNS resolvers and recursive servers MUST support UDP, and
            SHOULD support TCP, for sending (non-zone-transfer) queries.
            Specifically, a DNS resolver or server that is sending a
            non-zone-transfer query MUST send a UDP query first.  If the
            Answer section of the response is truncated and if the
            requester supports TCP, it SHOULD try the query again using
            TCP.

Microsoft Exchange is violating the protocol by only using TCP.

Anyway, I'm not sure how relevant this is to the OP.  This behavior of 
Exchange is between the clients and the caching nameserver.  I think the 
OP wanted to know what ports to open up on his firewall between the 
nameserver and the rest of the Internet.  Even if Exchange uses TCP to 
connect to the nameserver, the nameserver can send the recursive query 
using UDP.

But when querying outside nameservers, you have to allow outbound TCP in 
case the result is too large for a UDP query.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***