> i'm using access-lists packet filtering on cisco routers (no flaming please)
> and i'm trying to block DNS xfers from machines outside our domain.
> Yes, i could use the xfrnets directive, but then i'd have to find
> all the rogue secondaries in my company. From what i know,
> i can block tcp port 53, but this would also block queries
> (responses actually) > 512 bytes. Any thoughts on this?
> A 512 byte response seems pretty big to me, but then again so
> did 64k to an unnamed billionaire.
If the length of DNS query packet exceeded 512 byte, it would be sent
through tcp port 53. That means the most of the query packet comes via
udp 53. In practice, our site blocks DNS packet to tcp 53 except from
secondary servers in ISP site, but we have not experienced any trouble.
Nihon Keizai Shimbun Inc.