Re: DNS zone transfer

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 06/11/02


From: Frank Knobbe <fknobbe@knobbeits.com>
To: Ed Schmollinger <schmolli@frozencrow.org>
Date: 10 Jun 2002 21:24:27 -0500


On Mon, 2002-06-10 at 09:02, Ed Schmollinger wrote:
> No, they can't filter port 53/tcp if they expect zone transfers or large
> responses to work. Being authoritative is independent of the query
> mechanism. RFC compliance requires that TCP support be present, but for
> most setups, it can be safely disabled (via FW rules or whatever) for
> non-secondaries. The security (conscious|zealots) like to disable TCP
> because it's harder to get an interactive shell on a machine if you can
> only talk to it through UDP.

I don't want to drift further off-topic, but appending -u to netcat
isn't that much harder...

Regards,
Frank