[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: blocking AXFR record query

On Wed, 28 Jan 2004, James Miller wrote:

> If memory serves.. AXFR is a zone transfer... So, at your firewall, would
> want to only allowing TCP queries from your backup (secondary,
> trinary..etc.) dns servers (on the outside of your firewall) and limit
> everyone else to UDP queries.

I am no BIND expert, but please do not block TCP 53 unless you want to
drop about 20% (might be another percentage at your site) of all valid
lookups too! There is a long-standing myth that DNS traffic is UDP only
(excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help
you with the BIND specific stuff.

Grx HdV

Reply to: