Re: DNS zone transfer

From: Ed Schmollinger (schmolli@frozencrow.org)
Date: 06/10/02


Date: Mon, 10 Jun 2002 09:02:23 -0500
From: Ed Schmollinger <schmolli@frozencrow.org>
To: David Schwartz <davids@webmaster.com>

On Sun, Jun 09, 2002 at 04:18:38PM -0700, David Schwartz wrote:
> On Sun, 9 Jun 2002 13:28:39 -0300, Maximiliano Perez wrote:
> >They can restrict it via:
> >
> > - Filtering port 53/tcp, try telneting.
>
> They can't filter port 53/tcp if the are authoritative for any domains.
> Support for TCP queries is not optional.

No, they can't filter port 53/tcp if they expect zone transfers or large
responses to work. Being authoritative is independent of the query
mechanism. RFC compliance requires that TCP support be present, but for
most setups, it can be safely disabled (via FW rules or whatever) for
non-secondaries. The security (conscious|zealots) like to disable TCP
because it's harder to get an interactive shell on a machine if you can
only talk to it through UDP.

-- 
Ed Schmollinger - schmolli@frozencrow.org