Restricting TCP / 53 on the firewall level
Simon Waters
Simon at wretched.demon.co.uk
Tue Mar 26 17:41:14 UTC 2002
Barry Margolin wrote:
>
> RFC 1123 says:
>
> DNS resolvers and recursive servers MUST support UDP, and
> SHOULD support TCP, for sending (non-zone-transfer) queries.
> Specifically, a DNS resolver or server that is sending a
> non-zone-transfer query MUST send a UDP query first.
>
> So any client that requires TCP for non-truncated queries is violating the
> standard. On the other hand, supporting TCP in the server is only a
> SHOULD, not a MUST.
>
> So who is really violating the protocol if the client requires TCP and the
> server blocks it?
Hmm rfc1035 made it a mandatory requirement, and rfc1123
recommends doing it for future use?!
So if you wrote your DNS server before 1989 it was clearly
mandatory, if you failed to implement it after 1989 you were
just being short sighted ;)
If you wrote it after 1999 you should have tried EDNS0 if you
had the vaguest inkling it might work (who worded that thing?).
More information about the bind-users
mailing list