Why server output from disallowed interface?

[Spam Averse]

I'm running BIND v9.2.1 on a (Red Hat v9) Linux box.  I have configured bind
to only respond to queries on interface eth0, yet it seems that there are
outbound zone transfers on eth1.

Here's a snippet of my named.conf:

   listen-on { 127.0.0.1; 192.168.0.1; };
   allow-query { 127.0.0.1; 192.168.0/24; };

Interface eth0 is on 192.168.0/24, while eth1 is the interface to the
internet.  My server is authoratative for my network and acts as a caching
server for all other queries.

My understanding is that TCP is only used when a zone transfer is too big to
fit in a a UDP packet.  Thus I should only *transmit* on TCP to transfer
zone info to other machines on my network, right?

So why do I get TCP output from my internet interface?  Here's a couple of
examples, logged by Linux's iptables firewall (with my source address
removed):

Feb 20 11:42:04 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
DST=64.246.26.64 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
SPT=33424 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0

Feb 20 14:15:52 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aa.bbb.ccc.ddd
DST=193.171.255.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
SPT=33763 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0

Note that the protocol is TCP and the destination port is 53.

According to my understanding this is a zone transfer to the machine shown
as the destination address.  As shown about, though, I have not permitted
the answering of queries on the interface on which this data is being sent.

Can someone please explain to me what's going on here?

Thanks.


-- 
Please respond to the group, not by e-mail.