tcp limitations

Guy Pazi guy at wanwall.com
Tue Jun 12 13:51:42 UTC 2001 

Hi Jim.
Thanks for your answer
see below:

> -----Original Message-----
> From: Jim Reid [mailto:jim at rfc1035.com]
> Sent: Tuesday, 12 June, 2001 10:49 AM
> To: Guy Pazi
> Cc: Brad Knowles; bind-users at isc.org
> Subject: Re: tcp limitations
>
>
> >>>>> "Guy" == Guy Pazi <guy at wanwall.com> writes:
>
>     Guy> Since I don't have many choices but to block all udp traffic,
>     Guy> including the dns ones, then I'll stick to my last question
>     Guy> (phrased a bit differently): If all dns traffic ought to be
>     Guy> in tcp. Only limitation allowed is on the number of
>     Guy> concurrent open connections, ( limitations on type/class are
>     Guy> not allowed). Dns servers have the option of explicitly
>     Guy> limiting the number of concurrent tcp queries, while the OS
>     Guy> resources for tcp connection are limited as well.
>
> This makes no sense. You might as well ask "if the sky is purple with
> green stripes, what would be the capital of the Austrian-Hungarian
> empire?"
>
> If you block all UDP traffic, DNS will not work. End of story. Name
> servers use UDP *by default* and only use TCP when a UDP answer is
> truncated. So either you get someone with a clue to define your
> security policy and configure your firewall appropriately or else you
> put your name servers outside the firewall. There is no alternative.

My configuration IS with EXTERNAL dns servers.
The type of transport protocol between a resolver and a name server is
dependant on the resolver, therefore, configuring the INTERNAL resolvers to
query the server using tcp only will result only with tcp traffic. The
question was, does a name server keep query states in order to verify a tcp
query was preceded with truncated udp one, or does it ignore tcp queries
that could have been answered via udp, or will it just answer.
The answers I've received so far, suggest there is no problem with that.
The only problem remains is that tcp queries will overload the dns server
more then udp ones and my fear is that if all my queries will be over tcp,
The server will ignore them.


>
>     Guy> and to the question: What is the scale of concurrent tcp
>     Guy> connections a dns server can support? ~1000? ~100000?
>
> It depends on the operating system and its TCP/IP stack.
>
> Why are you asking this question? It has no relevance at all to your
> set up or the problem you are trying to deal with. Your comments about
> a root server are even more irrelevant. You don't run one and your
> name servers won't get anything like that level of traffic. In fact if
> they're stuck behind this exceptionally silly firewall, your servers
> won't get any DNS queries at all.
>

The reason I've referred to root servers is because server's capabilities
varies according to many parameters, and a root server might be something we
can both talk about and understand each other.

Thanks
Guy

More information about the bind-users mailing list