tcp limitations

Jim Reid jim at rfc1035.com
Tue Jun 12 13:21:28 UTC 2001


>>>>> "Guy" == Guy Pazi <guy at wanwall.com> writes:

    >> If you block all UDP traffic, DNS will not work. End of
    >> story. Name servers use UDP *by default* and only use TCP when
    >> a UDP answer is truncated. So either you get someone with a
    >> clue to define your security policy and configure your firewall
    >> appropriately or else you put your name servers outside the
    >> firewall. There is no alternative.

    Guy> My configuration IS with EXTERNAL dns servers.  The type of
    Guy> transport protocol between a resolver and a name server is
    Guy> dependant on the resolver, therefore, configuring the
    Guy> INTERNAL resolvers to query the server using tcp only will
    Guy> result only with tcp traffic. The question was, does a name
    Guy> server keep query states in order to verify a tcp query was
    Guy> preceded with truncated udp one, or does it ignore tcp
    Guy> queries that could have been answered via udp, or will it
    Guy> just answer.  The answers I've received so far, suggest there
    Guy> is no problem with that.  The only problem remains is that
    Guy> tcp queries will overload the dns server more then udp ones
    Guy> and my fear is that if all my queries will be over tcp, The
    Guy> server will ignore them.

Frankly, this verges on insanity. Rather than fix your firewall to do
the right thing, you propose changing the standard behaviour of every
piece of DNS software that will ever live inside your network. Good
luck. Have you any idea of the maintenance and administrative
nightmare you'd be making for yourself? And what if somebody installs
some new software that stamps all over your hypothetical TCP-only
resolver? Or secretly uses its own UDP-only resolver? Oh and let's not
overlook the overhead of the three-way TCP handshake to set up the
connection. Every DNS lookup really needs that latency in front of it.


More information about the bind-users mailing list