[unisog] DNS over TCP should we block

John Kristoff jtk at northwestern.edu
Tue Jan 4 19:30:59 GMT 2005

On Tue, 4 Jan 2005 14:01:30 -0500
Vijay S Sarvepalli VSSARVEP <VSSARVEP at uncg.edu> wrote:

> This may have been discussed already.  I think DNS over TCP needs to be 
> allowed on the outgoing.  I tried to block and log this type of outgoing 
> queries FROM MY SOURCE IP (1023+) => REMOTE SERVERS (53) TCP

DNS over TCP should be permitted, in both directions.  Some things
will break if you do not allow it.

> This seems to drop some long reverse dns lookup and some reverse dns that 
> seems to be carved out less than class c

In general it will drop zone transfers, which may be your intention,
but also anything that doesn't fit in a 512 byte response.  This may
include a number of things, apparently you've recently seen but one

Take a look at the second half of the following presentation to get
an idea of the sort of bad thing that can happen when DNS over TCP is


Permit DNS over TCP and monitor.


More information about the unisog mailing list