[unisog] DNS over TCP should we block
reggers at ist.uwaterloo.ca
Tue Jan 4 20:15:42 GMT 2005
> DNS over TCP should be permitted, in both directions. Some things
> will break if you do not allow it.
Assuming your clients are configured to use campus name servers there's no
need to open DNS over TCP (and UDP) to everyone -- constrain it to just your
campus DNS name servers.
If you allow DNS over TCP and UDP to everyone then you can expect bad guys
to exploit that.
More information about the unisog