tcp limitations

[Jim Reid]

>>>>> "Guy" == Guy Pazi <guy at wanwall.com> writes:

    Guy> Since I don't have many choices but to block all udp traffic,
    Guy> including the dns ones, then I'll stick to my last question
    Guy> (phrased a bit differently): If all dns traffic ought to be
    Guy> in tcp. Only limitation allowed is on the number of
    Guy> concurrent open connections, ( limitations on type/class are
    Guy> not allowed). Dns servers have the option of explicitly
    Guy> limiting the number of concurrent tcp queries, while the OS
    Guy> resources for tcp connection are limited as well.

This makes no sense. You might as well ask "if the sky is purple with
green stripes, what would be the capital of the Austrian-Hungarian
empire?"

If you block all UDP traffic, DNS will not work. End of story. Name
servers use UDP *by default* and only use TCP when a UDP answer is
truncated. So either you get someone with a clue to define your
security policy and configure your firewall appropriately or else you
put your name servers outside the firewall. There is no alternative.

    Guy> and to the question: What is the scale of concurrent tcp
    Guy> connections a dns server can support? ~1000? ~100000?  

It depends on the operating system and its TCP/IP stack.

Why are you asking this question? It has no relevance at all to your
set up or the problem you are trying to deal with. Your comments about
a root server are even more irrelevant. You don't run one and your
name servers won't get anything like that level of traffic. In fact if
they're stuck behind this exceptionally silly firewall, your servers
won't get any DNS queries at all.