Date: Mon, 29 Dec 2003 01:02:48 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= <lbromirski@mr0vka.eu.org> To: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! Message-ID: <3FEF6F28.3000802@mr0vka.eu.org> In-Reply-To: <200312290042.38516.bs@dva.in-berlin.de> References: <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> <Pine.BSF.4.53.0312282223470.21415@e0-0.zab2.int.zabbadoz.net> <200312290042.38516.bs@dva.in-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Boris Staeblow wrote: > > DNS can also be TCP. > > (noted by a colleague who seemed to have a closer look at it). > under which circumstances is a DNS TCP connection needed? > (I´ve never used a DNS TCP rule before - without any problem) When reply can't be inserted into single UDP datagram - about 64K for systems going per RFC, and about 8K for old very strange implementations. 64K is quite large space for most queries, but I've for example seen bind 9 making TCP connection when asked for zone xfer, that would exceed 512 bytes. It's safe to let tcp/udp 53 get in. -- Łukasz Bromirski lbromirski:mr0vka.eu.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FEF6F28.3000802>