Re: secured server policies
SZALAY Attila wrote:
> On Sat, 2008-11-08 at 19:03 +0000, daniel wrote:
>> Ansgar Wiechers wrote:
>>> On 2008-10-31 daniel wrote:
>>>> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>>>> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> You need TCP for fully functional DNS as well.
>> Why do I need TCP for fully functional DNS?
>> TCP must be used for zone transfers.
>> See --> http://www.freesoft.org/CIE/Topics/77.htm
> No, it's not exactly true.
> You need tcp in the case when the answer is too big to fit in an UDP
> packet. If this happen, the client should reconnect using tcp.
> From rfc 1035:
> 4.2.1. UDP usage
> Messages sent using UDP user server port 53 (decimal).
> Messages carried by UDP are restricted to 512 bytes (not counting the IP
> or UDP headers). Longer messages are truncated and the TC bit is set in
> the header.
Thanks for your explanation.
I will read more the RFC's. :)