The servers in question are acting as caching servers querying the
Internet on behalf of client population who are unlikely to be running
anything other than an MS stub resolver. The security guys stance is
that unless it can be demonstrated that a particular query will cause
truncation, then they will only allow UDP query/response from the
clients and to the Internet.

"Roy S. Rapoport" wrote:
> On Thu, Sep 16, 2004 at 09:20:03PM +0100, Marc Thach Xuan Ky wrote:
> > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> > firewall people are not keen to do this. Telling them that "the
> > firewall is broken" unfortunately does not sway them. My friend needs
> > examples of real Internet domain lookups that truncate and require TCP.
> > Does anybody out there know of any?

> Why does it matter what other people have? Does your friend have a need for
> TCP DNS? If so, he should be able to demonstrate the need based on his own
> requirements, rather than someone else's requirements.
> -roy