[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secured server policies

On Sat, 2008-11-08 at 19:03 +0000, daniel wrote:
> Ansgar Wiechers wrote:
> > On 2008-10-31 daniel wrote:
> >> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> >> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> > You need TCP for fully functional DNS as well.
> Why do I need TCP for fully functional DNS?
> TCP must be used for zone transfers.
> See --> http://www.freesoft.org/CIE/Topics/77.htm

No, it's not exactly true.

You need tcp in the case when the answer is too big to fit in an UDP
packet. If this happen, the client should reconnect using tcp.

From rfc 1035:

4.2.1. UDP usage

Messages sent using UDP user server port 53 (decimal).

Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers).  Longer messages are truncated and the TC bit is set in
the header.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: