At 9:57 PM 7/6/95, David Madole/TMG/CSC wrote:
>By the way, DNS only uses TCP for zone transfers, so unless you are running a
>secondary nameserver on the other side of your firewall, you do not need (or
>want) the permit TCP lines in the filter.
This is true for UNIX implementations of DNS (i.e., BIND), but not
necessarily true in general. In fact, it's not even true for all versions
of BIND, I don't think; I believe (though my info may be out of date) that
IBM AIX systems always use TCP connections for DNS, even for simple
resolver queries that most other UNIX systems would use UDP for.
Basicly, in order to fully support DNS, you have to support both UDP and
TCP queries.
-Brent
----------------------------------------------------------------------
For info about the Internet Security Firewalls Tutorial and a schedule
of upcoming dates, please send email to Tutorial-Info @
GreatCircle .
COM
----------------------------------------------------------------------
Brent Chapman Great Circle Associates
Brent @
GreatCircle .
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041
Follow-Ups:
|
|
