> Does anybody know if DNS uses ICMP in
> any of its processes? I'm using ipchains
> to filter packets. I deny all protocol 1, ICMP.
> I get a moderate amount of blocked ICMP packets
> to and from name servers in my logs. Should
> I allow ICMP to and from name servers?
ICMP is used by UDP to tell the sender if nobody does listen on a port.
It is normal to see ICMP port unreachable messages send from the DNS
client to the server. Seeing those packets send from the name server
means that it is no name server actually or the DNS service being
IP and TCP use ICMP packets for error-reporting too. The proper
operation and arborting (later in case of unrecoverable error) of a TCP
connection does rely on being able to send and receive ICMP packets.
One major problem caused by denying ICMP packets is the TCP Path MTU
discovery to fail. Symtoms are stalled TCP connections recovering
ranging from slowly to never.