[lug] firewall question (disregard)
Nate Duehr
nate at natetech.com
Thu Sep 20 16:04:23 MDT 2001
If the machine is a nameserver (I don't think you're doing this, but
hey...) that hosts a large zone that will respond with a lot of NS
records, it can cause the packet size to go larger than a standard
single UDP packet which will cause named to switch to TCP mode. TCP's
also used for authoritative zone transfers.
If you're running a caching nameserver on a webserver to increase
performance, for example, you have to allow incoming TCP sessions to the
named on the box also or some sites will appear to be down when they're
really not.
Lots of people forget named uses TCP and forget to open it in their
firewalls, especially when running their own caching nameservers for
lookups only.
Chip Atkinson wrote:
>
> Sorry for the stupid question. The name servers have to connect to the
> root servers. Back to my hole...
>
> Chip Atkinson wrote:
>
> > Greetings,
> >
> > Is there any occasion where a web and name server should be allowed to
> > initiate outgoing connections? I don't believe that there is any, but
> > the one thing I don't know about is UDP DNS traffic. Does the UDP dns
> > traffic arise because it is contacted via UDP instead of TCP, or does
> > the name server start a UDP connection back? That doesn't seem quite
> > reasonable.
> >
> > Thanks in advance.
> >
> > Chip
> >
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list