Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Dec 2003 01:02:48 +0100
From:      =?ISO-8859-2?Q?=A3ukasz_Bromirski?= <lbromirski@mr0vka.eu.org>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: need testers for a ipfw rule generation script!
Message-ID:  <3FEF6F28.3000802@mr0vka.eu.org>
In-Reply-To: <200312290042.38516.bs@dva.in-berlin.de>
References:  <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> <Pine.BSF.4.53.0312282223470.21415@e0-0.zab2.int.zabbadoz.net> <200312290042.38516.bs@dva.in-berlin.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Boris Staeblow wrote:

> > DNS can also be TCP.
> > (noted by a colleague who seemed to have a closer look at it).
> under which circumstances is a DNS TCP connection needed?
> (I´ve never used a DNS TCP rule before - without any problem)

When reply can't be inserted into single UDP datagram - about
64K for systems going per RFC, and about 8K for old very
strange implementations. 64K is quite large space for most
queries, but I've for example seen bind 9 making TCP
connection when asked for zone xfer, that would exceed 512 bytes.

It's safe to let tcp/udp 53 get in.

-- 
Łukasz Bromirski                             lbromirski:mr0vka.eu.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?3FEF6F28.3000802>