[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] DNS Question
> What is incorrect ! AFAIK 53/TCP is used for zone transfers please > correct me if i am wrong. ???Dear Don please refer to RFC 1035 Funny, you are referring to an RFC you do not seem to have read. The RFC does not require lookups be performed via UDP. It is a suggestion for performance reasons. Please see section 4.2. Also, Please read the second paragraph of section 4.2.1. "Messages carried by UDP are restricted to 512 bytes" Imagine requesting the MX record for a site with a large number of MX records. You could exceed this limit. TCP can be used for ordinary DNS queries. In fact, I do believe Windows uses TCP for ordinary DNS queries. As a result, you probably should not be blocking such access to your servers. In fact, considering the insecurity of most DNS implementations, and the traffic involved, you are probably better off with bastion host serving as an external DNS server. Less load on your firewall, and less risk to other hosts on your DMZ if the DNS gets hacked. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|