[Michel Py]
they are blocked by almost every access-list in the world.
[Theo Van Dinter]
Says you. To me, it sounds like the admin doesn't know DNS does UDP
and TCP. (to note: every firewall I've ever setup or taken
over supports UDP and TCP, and all firewall appliances I've seen
understand both should be allowed when you say "service dns"...)
I concur with Theo. Support for DNS-over-TCP should be expected from
most firewalls, per the DNS RFCs. Each of the 16 flavors of SonicWall,
WatchGuard, and Checkpoint/Nokia devices I administer or define the "DNS
protocol" as TCP *or* UDP over port 53.
I think perhaps your customers' firewalls are misconfigured, Michel.
Were they all set up from the same "default" configuration file before
deployment?
Regards,
Ryan