On Fri, Sep 03, 2004 at 10:46:15AM +0000, Ronan Flood wrote: > "HuMPie" wrote: > > Only allow UPD traffic is enough, TCP traffic is only needed if you are > > a master DNS server and need transferring zones to your slave. > > Not true: you may need TCP if the response to a query is large and one > or other server doesn't support EDNS0 large UDP packets. And of course it's not really against the rules for a resolver to use TCP by default. If you shut off querying over TCP, then you can probably expect for most things to keep working. The interesting question here regards how easy it will be for you to figure out what's wrong when it eventually breaks something. Does the mostly imaginary security you're buying by blocking TCP weigh more than the eventual downtime? -- Ed Schmollinger - schmolli@frozencrow.org -- Attached file included as plaintext by Ecartis -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBOHM+uUf1YjPlx/ARAsR9AJ9wCRBTIYhh/PnDeRrgPo9UEVDdhQCfci9b hJuwFTaSR3vbDTOWQ+RBrtM= =qY8a -----END PGP SIGNATURE-----