[unisog] DNS over TCP should we block

Reg Quinton reggers at ist.uwaterloo.ca
Tue Jan 4 20:15:42 GMT 2005


> DNS over TCP should be permitted, in both directions.  Some things
> will break if you do not allow it.

I'll disagree.

Assuming your clients are configured to use campus name servers there's no 
need to open DNS over TCP (and UDP) to everyone -- constrain it to just your 
campus DNS name servers.

If you allow DNS over TCP and UDP to everyone then you can expect bad guys 
to exploit that. 




More information about the unisog mailing list