[lug] Quote of the Day

Nate Duehr nate at natetech.com
Wed Feb 7 03:26:28 MST 2001


On Wed, Feb 07, 2001 at 10:11:29AM +0100, rm at mamma.varadinet.de wrote:
> um, i've done it many times (for incomming tcp connections on 53)
> and never had problems so far. 

TCP should only be inbound to a DNS server unless it's servicing slave
servers.  Then you need TCP open both ways.

Queries can be either high ports (1024 =>) or port 53 and should always
be UDP unless TSIG or DNSSEC is being used (rare).

If you use the "dig" or "nslookup" tools and do authoritative zone
transfers larger than 512 bytes, the answer will come back TCP instead
of UDP inbound to your resolver also.

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.



More information about the LUG mailing list