* James Miller (jimm@simutronics.com) wrote:
If memory serves.. AXFR is a zone transfer... So, at your firewall, would
want to only allowing TCP queries from your backup (secondary,
trinary..etc.) dns servers (on the outside of your firewall) and limit
everyone else to UDP queries. And for your bind9 config something like
this:
It is not a good idea to block TCP packets to your DNS server, since TCP
is not only used for zone transfer, it is also used when answering a DNS
query with a response that does not fit in a normal UDP datagram.