BIND and TCP

Michael Bernhardt MBernha at bart.gov
Fri Sep 23 23:11:51 UTC 2005


I'm running BIND 9.2.3. Our outside servers are set to only allow zone
transfers to our ISP's slave. Our firewall is set to only allow UDP packets
to them, except to/from that slave. But we can see that the server does
attempt TCP traffic to other DNS servers anyway. No one seems to complain
about poor performance but maybe the lack of TCP shows up in other ways?

I understand that BIND will use TCP for queries when the packet size of 512
is insufficient (if that's not correct, please educate me). I also am to
understand the RFC supposedly requires that DNS use TCP in these
circumstances. But we do not want to be bothered with everyone and their
bored brothers being able to do any more than absolutely necessary.

Is there a way to tell BIND to never use TCP? Does anyone have
recommendations on how to best balance security and proper application, with
the edge going toward security? Can't find anything on this in the O'Reilly
BIND book but maybe I missed it.




More information about the bind-users mailing list