I am setting up my own DNS servers on the Internet instead of using my ISP for DNS. I am using win2k3 server with the Microsoft DNS server. I setup the primary and secondary servers and secured them according to Microsoft's whitepapers. The secondary server will not zone XFR if I enable TCP/IP Filtering and restrict it to UDP and TCP port 53. If I remove TCP/IP filtering the zone XFR works just fine. Why?