[unisog] DNS over TCP should we block

Clark Gaylord cgaylord at vt.edu
Wed Jan 5 20:59:17 GMT 2005


Leigh Heyman wrote:

> By "requests of unknown origin" did Florian mean requests from outside 
> clients to internal resolvers?  In that case, queries from your own 
> mailservers and webservers wouldn't qualify as "unknown" and therefore 
> should still happily use UDP yes?

Bottom line: if you accept UDP53 from a host, you need to accept TCP53.

Golden Rule of Firewall Configuration: Try not to be stupid.

--ckg



More information about the unisog mailing list