Confused about a basic concept
Mark Andrews
marka at isc.org
Wed Jun 5 23:39:55 UTC 2013
In message <05883710-136f-4dc2-8079-e29a68fedb23 at me.com>, Bryan Harris writes:
> Hi everyone,
>
> Thanks for all the detailed responses, I think I have a better
> understanding of things now. I was completely and totally confused about
> UDP/TCP. I am just going to take a wild guess that doing iptables the
> way I described would've caused a bunch of problems...
DNS uses both UDP and TCP for every relationship (server<->server
and client<->server). You don't need to know when, you just need
to leave both transport protocols open to avoid problems.
If you have a auditor or a security "expert" tell you to turn off
TCP for DNS then it is a sure sign that they are incompentent.
Similarly DNS uses fragmented UDP packets. You need to pass these
through your firewall.
Similarly DNS UDP messages can be bigger than 512 bytes (named does
up to 4046 byte payload UDP packets).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list