At 9:57 PM 7/6/95, David Madole/TMG/CSC wrote:
>By the way, DNS only uses TCP for zone transfers, so unless you are running a
>secondary nameserver on the other side of your firewall, you do not need (or
>want) the permit TCP lines in the filter.
This isn't true. You're confused because the most common version of
resolver on UNIX, the one that comes with BIND, has this behavior. It
isn't true in general.
Any query, not just a zone transfer can be done in TCP. In fact you can find
a recommendation in the RFCs that they should! If a resolver does prefer UDP,
when a response comes back with the truncate field set, it should retry the
query in TCP, so even normal resolvers like nslookup can sometimes make
requests in TCP.
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (mail copyright Patrick J. Horgan) (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick @
com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |