Restricting TCP / 53 on the firewall level
Barry Margolin
barmar at genuity.net
Tue Mar 26 15:37:34 UTC 2002
In article <a7pfe8$ql6 at pub3.rc.vix.com>, Jim Reid <jim at rfc1035.com> wrote:
>>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:
>
> >> That may be your experience. But it still doesn't make the
> >> practice of blocking TCP queries right or sensible.
>
> Barry> True interoperability means complying with de facto
> Barry> standards, not just official standards. Any application
> Barry> that depends critically on TCP DNS to remote servers is
> Barry> likely not fully interoperable, because so many sites
> Barry> firewall their DNS servers in this way. Reality bites.
>
>So much for the principle of "be liberal in what you accept and
>conservative about what you send": the true cornerstone of
>interoperability.
RFC 1123 says:
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first.
So any client that requires TCP for non-truncated queries is violating the
standard. On the other hand, supporting TCP in the server is only a
SHOULD, not a MUST.
So who is really violating the protocol if the client requires TCP and the
server blocks it?
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list