On Jul 25, 2012, at 21:27, "Joseph L. Casale" <jcasale at activenetwerx.com> wrote: >> DNS lookups default to using 53/udp, and only use 53/tcp for zone >> transfers. could it be 53/udp is being lost/blocked between this host >> and your ns1 ? > > Unfortunately that is a common misconception. > > Tcp is used far more often than "only" as stated such as for size of request > exceeding udp response size etc... > > Bottom line is both ports are needed, not just for zone xfers. > Except that the malware guys have figured out how to abuse port 53. Security recommendation is to block TCP unless you're running a DNS server. And also block oversize port 53 UDP packets. Dave M