Re: blocking AXFR record query
* James Miller (jimm@simutronics.com) wrote:
>
>
> If memory serves.. AXFR is a zone transfer... So, at your firewall, would
> want to only allowing TCP queries from your backup (secondary,
> trinary..etc.) dns servers (on the outside of your firewall) and limit
> everyone else to UDP queries. And for your bind9 config something like
> this:
It is not a good idea to block TCP packets to your DNS server, since TCP
is not only used for zone transfer, it is also used when answering a DNS
query with a response that does not fit in a normal UDP datagram.
Reply to: