What should be done if you needed to create a policy to control DNS zone transfers, but allows basic DNS queries to go through?
Nothing, the pre-defined DNS service will work properly as defined
Create a custom service using TCP port 53 as the destination port
The predefined DNS service does not allow this type of configuration
Create a custom service only using UDP port 53 as the destination port
DNS traffic travels through port 53 (UDP and TCP). Therefore, it is necessary to open these ports on thenetscreenfirewall to allow clients and other servers to utilize DNS. UDP port 53 is required for client queries while the TCP port 53 is required for zone transfers. In most cases, it is unnecessary to allow zone transfers outside of the Protected Network so TCP port 53 should be blocked at the Firewall.