RE: blocking AXFR record query
On Wed, 28 Jan 2004, James Miller wrote:
> If memory serves.. AXFR is a zone transfer... So, at your firewall, would
> want to only allowing TCP queries from your backup (secondary,
> trinary..etc.) dns servers (on the outside of your firewall) and limit
> everyone else to UDP queries.
I am no BIND expert, but please do not block TCP 53 unless you want to
drop about 20% (might be another percentage at your site) of all valid
lookups too! There is a long-standing myth that DNS traffic is UDP only
(excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help
you with the BIND specific stuff.