tcp limitations
Jim Reid
jim at rfc1035.com
Tue Jun 12 13:21:28 UTC 2001
>>>>> "Guy" == Guy Pazi <guy at wanwall.com> writes:
>> If you block all UDP traffic, DNS will not work. End of
>> story. Name servers use UDP *by default* and only use TCP when
>> a UDP answer is truncated. So either you get someone with a
>> clue to define your security policy and configure your firewall
>> appropriately or else you put your name servers outside the
>> firewall. There is no alternative.
Guy> My configuration IS with EXTERNAL dns servers. The type of
Guy> transport protocol between a resolver and a name server is
Guy> dependant on the resolver, therefore, configuring the
Guy> INTERNAL resolvers to query the server using tcp only will
Guy> result only with tcp traffic. The question was, does a name
Guy> server keep query states in order to verify a tcp query was
Guy> preceded with truncated udp one, or does it ignore tcp
Guy> queries that could have been answered via udp, or will it
Guy> just answer. The answers I've received so far, suggest there
Guy> is no problem with that. The only problem remains is that
Guy> tcp queries will overload the dns server more then udp ones
Guy> and my fear is that if all my queries will be over tcp, The
Guy> server will ignore them.
Frankly, this verges on insanity. Rather than fix your firewall to do
the right thing, you propose changing the standard behaviour of every
piece of DNS software that will ever live inside your network. Good
luck. Have you any idea of the maintenance and administrative
nightmare you'd be making for yourself? And what if somebody installs
some new software that stamps all over your hypothetical TCP-only
resolver? Or secretly uses its own UDP-only resolver? Oh and let's not
overlook the overhead of the three-way TCP handshake to set up the
connection. Every DNS lookup really needs that latency in front of it.
More information about the bind-users
mailing list