[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking AXFR record query

* James Miller (jimm@simutronics.com) wrote:
> 
> 
> If memory serves.. AXFR is a zone transfer... So, at your firewall, would
> want to only allowing TCP queries from your backup (secondary,
> trinary..etc.) dns servers (on the outside of your firewall) and limit
> everyone else to UDP queries.  And for your bind9 config something like
> this:

It is not a good idea to block TCP packets to your DNS server, since TCP
is not only used for zone transfer, it is also used when answering a DNS
query with a response that does not fit in a normal UDP datagram.
Reply to: