Scott McGrath wrote: [..]
For a long time there has been a effective practice of
UDP == resolution requests TCP == zone transfers
WRONG. TCP is there as a fallback when the answer of the question is too large. Zone transfer you can limit in your software. If you can't configure your dns servers properly then don't run DNS. Also note that botnets have much more effective ways of taking you out. And sometimes domains actually require TCP because there are too many records for a label eg http://stupid.domain.name/node/651 If you are thus blocking TCP for DNS resolution you suddenly where blocking google and thus for some people "The Internet". Also see: http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html (Which was the second hit for google(EDNS0) after a link to RFC2671) Greets, Jeroen