On Wed, 14 Dec 2005, Daniel Lorch wrote:
Hi
almost a week ago I wrote to Switch about this problem, but I didn't get an answer so far, so I wondered whether you guys/girls knew more about this:
Warnings Test: Server doesn't listen/answer on port 53 for TCP protocol ==> ns1.tsunamihost.ch./217.150.245.14 ==> ns2.tsunamihost.ch./217.160.142.96
According to RFC 1035, Chapter 4.2
"The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance."
ftp://ftp.ietf.org/rfc/rfc1035.txt
Why do I need to allow TCP connections? To me, TCP is AXFR and I'm NOT going to allow AXFR for everyone.
Besides AXFRs, as stated by the RFC, there may be perfectly valid reasons for DNS over TCP, for example when answers exceed 512 bytes. As for AXFRs from unwanted sources, you can filter them with bind ACLs, as explained in another post.
Regards,
- yann