[unisog] DNS over TCP should we block

Reg Quinton reggers at ist.uwaterloo.ca
Tue Jan 4 21:39:30 GMT 2005

> The threats that the original poster may want to avoid should be 
> discussed;
> without this discussion, it's not possible to say whether blocking DNS 
> over
> TCP (from where to where?) is the best way to mitigate them.  If zone
> transfers are the threat in question:

If all you worry about is zone transfers that's fine. But I'd suggest you 
not wait for the problems you haven't anticipated -- block it if you can. A 
well honored security principle is to never expose a service unless you have 

IMHO there's no need for anyone other than our campus DNS servers to conduct 
DNS conversations with remote systems.

More information about the unisog mailing list