James Couzens wrote:
There is little question here. Transfers over
TCP happen in DNS all the time.
I wrote "queries", not "transfers". To begin with, I looked at customers
access-lists this morning WRT DNS and I have not found a single one that
allowed DNS over TCP except for a little number of other DNS servers
that are known to transfer zones with the DNS server protected by the
access-list. The SPF community has zero visibility to network and
firewall admins, if you expect them to change all their security you
have to explain me how you do that. At this point in time DNS queries
over TCP are not an option because a) they are largely untested and b)
they are blocked by almost every access-list in the world.
Follows is part of my home access-list, this is
typical of what I see in many other places.
remark permit smtp.
permit tcp any host 209.233.126.65 eq smtp
remark
remark permit DNS.
permit udp any host 209.233.126.65 eq domain
Note that it says permit udp, not permit tcp or permit ip.
My issue is forcing the use of TCP period!
If you had read more carefully, you would have figured that what Tim
proposed precisely allows the UDP query except for people that want to
use XML, where TCP is required.
XML in DNS is just plain stupid. I'll be leaving
the playground should the moon ever turn blue and
i'll be taking my ball with me!
You're free to do so any time you want.
Michel.