Re: checking security logs
> Is it not normal for nameservers to "talk" to each other?
> Or are nameservers only supposed to "talk" to their listed forwarders?
Perhaps your server is listed as a up-stream server for someone elses server
> What about [A-M].ROOT-SERVERS.NET?
DNS servers are only supposed to talk to their up-stream (or down-stream)
servers; the up-stream may have the result they want cached from a request
from another server on the same level as yours.
> I am currently allowing all otherwise reasonable tcp connections
> with my nameserver (by IP) as the destination in and out at port 53.
> Is that risky, or is that helping resolvers get my IP quicker?
> Or both? Or neither?
I think that DNS servers should be open to everyone, if some other ISP
server wants the address of one of your clients (assuming you're an ISP),
and none of their up-stream servers have it cached, their server may come
and ask your server directly.
DNS requests should usually come in UDP form, and only use TCP if the
request or response has too much data to fit in a UDP packet.