On Sat, 2008-11-08 at 19:03 +0000, daniel wrote: > Ansgar Wiechers wrote: > > On 2008-10-31 daniel wrote: > >> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > >> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > You need TCP for fully functional DNS as well. > Why do I need TCP for fully functional DNS? > TCP must be used for zone transfers. > See --> http://www.freesoft.org/CIE/Topics/77.htm No, it's not exactly true. You need tcp in the case when the answer is too big to fit in an UDP packet. If this happen, the client should reconnect using tcp. From rfc 1035: 4.2.1. UDP usage Messages sent using UDP user server port 53 (decimal). Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers). Longer messages are truncated and the TC bit is set in the header.
Description: S/MIME cryptographic signature