In message <05883710-136f-4dc2-8079-e29a68fed...@me.com>, Bryan Harris writes: > Hi everyone, > > Thanks for all the detailed responses, I think I have a better > understanding of things now. I was completely and totally confused about > UDP/TCP. I am just going to take a wild guess that doing iptables the > way I described would've caused a bunch of problems...
DNS uses both UDP and TCP for every relationship (server<->server and client<->server). You don't need to know when, you just need to leave both transport protocols open to avoid problems. If you have a auditor or a security "expert" tell you to turn off TCP for DNS then it is a sure sign that they are incompentent. Similarly DNS uses fragmented UDP packets. You need to pass these through your firewall. Similarly DNS UDP messages can be bigger than 512 bytes (named does up to 4046 byte payload UDP packets). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
