firewalling
Barry Margolin
barmar at alum.mit.edu
Sun Sep 5 04:29:42 UTC 2004
In article <ch9sfo$q3i$1 at sf1.isc.org>,
Ed Schmollinger <schmolli at frozencrow.org> wrote:
> And of course it's not really against the rules for a resolver to use
> TCP by default.
Yes it is. From RFC 1123:
6.1.3.2 Transport Protocols
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first. If the
Answer section of the response is truncated and if the
requester supports TCP, it SHOULD try the query again using
TCP.
Microsoft Exchange is violating the protocol by only using TCP.
Anyway, I'm not sure how relevant this is to the OP. This behavior of
Exchange is between the clients and the caching nameserver. I think the
OP wanted to know what ports to open up on his firewall between the
nameserver and the rest of the Internet. Even if Exchange uses TCP to
connect to the nameserver, the nameserver can send the recursive query
using UDP.
But when querying outside nameservers, you have to allow outbound TCP in
case the result is too large for a UDP query.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list