>If the length of DNS query packet exceeded 512 byte, it would be sent
>through tcp port 53. That means the most of the query packet comes via
>udp 53. In practice, our site blocks DNS packet to tcp 53 except from
>secondary servers in ISP site, but we have not experienced any trouble.
We block tcp to port 53, except to our "external" DNS. The external knows
nothing about the internal ones. This blocks zone transfers from going in
or out, but lookups are acceptable. The only thing I don't like about this
is that you can still do nslookups from outside in, but since we don't
advertise our internal nameservers...