Not to toss flammables onto the pyre. BUT there is a large difference from what the RFC's allow and common practice. In our shop TCP is blocked to all but authoratative secondaries as TCP is sinply too easy to DoS a DNS server with. We simply don't need a few thousand drones clogging the TCP connection table all trying to do zone transfers ( yes it happened and logs show drones are still trying ) For a long time there has been a effective practice of UDP == resolution requests TCP == zone transfers It would have been better if a separate port had been defined for zone transfers as that would obviate the need for a application layer gateway to allow TCP transfers so that zone transfers can be blocked and resolution requests allowed for now all TCP is blocked. Now just because someone has a bright idea they drag out a 20 y/o RFC and say SEE, SEE you must allow this because the RFC says so all the while ignoring the 20 years of operational discipline that RFC was written when the internet was like the quad at college everyone knew one and other and we were all working towards a common goal of interoperability and open systems , These days the net is more like a seedy waterfront after midnight where criminal gangs are waiting to ambush the unwary and consequently networks need to be operated from that standpoint. At the University networking level it is extremely difficult as we need to maintain a open network as much as possible but protect our infrastructure services so that they have 5 nines of availability back in the day a few small hosts would serve DNS nicely and we did not have people trying to take them down and/or infecting local hosts and attempting DHCP starvation attacks. And no we are not at the 5 nines level but we are working on it. - Scott Randy Bush wrote:
If my server responded to TCP queries from anyone other than a secondary server, I would be VERY concerned.
you may want to read the specs
randy