Does BIND use TCP protocol?

Kevin Darcy kcd at daimlerchrysler.com
Fri Nov 5 00:11:21 UTC 1999


BIND *chooses* to use TCP typically only for zone transfers. However,
many clients will fall back to using TCP for a query if they previously
used UDP and the answer was truncated. BIND does not choose the protocol
in this case, but needs to be listening on TCP port 53 if it is to answer
such queries. Also, BIND needs to be listening on the TCP port if it is
to answer queries explicitly made via TCP, e.g. by setting "vc" within
nslookup.


- Kevin

Steve Snyder wrote:

> I recently went to one of those Web sites where you can configure a
> Linux ipchains firewall online.  After answering many questions about
> my configuration, it spit out a template on an ipchains ruleset.  The
> rules show the use of both UDP and TCP for DNS traffic (see below).
>
> The name server on my LAN is authoritive only for the nodes on the LAN
> and does name resolution via my ISP for all other requests.  My name
> server never answers requests from outside my own domain.
>
> I am not asking if the ruleset below is good or even workable.  It is
> just the protocol use I an interested in.
>
> So...  does BIND really use TCP for DNS traffic, and if so, what does
> it use that protocol for?
>
> Thank you.
>
> ----- This is the suggested firewall config for DNS:
>
>     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
>              -s $NAMESERVER 53 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>     ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
>              -s $IPADDR $UNPRIVPORTS \
>              -d $NAMESERVER 53 -j ACCEPT
>
>     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              -s $NAMESERVER 53 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
>              -s $IPADDR $UNPRIVPORTS \
>              -d $NAMESERVER 53 -j ACCEPT
>
> *** Steve Snyder ***





More information about the bind-users mailing list