* Michal Melewski (mike@pn66.poznan.sdi.tpnet.pl) [020506 15:02]: > On Mon, May 06, 2002 at 01:47:54PM -0700, Vineet Kumar wrote: > > This setup will work fine most of the time, but mysteriously fail when > > replies to your DNS queries are long. Your resolver tries to ask udp/53, > > but will need to connect to tcp/53 if the result is longer than can fit > > in a single udp packet. > Yes, but in my case disallowing tcp/53 is (or rather would be) another layer > of security ; preventing zone transfers. I have never had any problems with > long answers... Good; just wanted to make sure you (and others) were aware of it. It's good to keep in mind in case you start to experience strange problems with DNS. > But the simple rule is to give the simpliest answers :) Very true. > > > good times, > > Vineet > > ps. and i'm very unhappy because of lack of -C options in iptables (people > who have any experience with ipchains know what i mean). Yeah, I missed it, too. With iptables, I just look more closely at my logs to determine if it's doing the right thing. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml
Attachment:
pgpqkWfnwPsb7.pgp
Description: PGP signature