[nsp] PIX deny UDP
Niels Bakker
niels=cisco-nsp@bakker.net
Mon, 14 Oct 2002 16:39:55 +0200
* jarrod@advmed.com (Jarrod Baumann) [Mon 14 Oct 2002, 16:28 CEST]:
> 53/TCP is only for zone transfers, not lookups.
Incorrect. Resolver libraries should fall back to TCP when UDP doesn't
work, for example when the answer is too large to fit in the 512 bytes
an UDP DNS packet can be.
Yes, AXFRs are one of the situations where the answer is likely to
exceed 512 bytes, but if you want to see something funny as an
illustration to my point, try:
% dig ptr 42.220.218.216.in-addr.arpa @216.218.132.2
Regards,
-- Niels.
--