DNS and TCP

David Botham dns at botham.net
Wed Oct 2 15:15:53 UTC 2002




> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Bill Larson
> Sent: Wednesday, October 02, 2002 11:04 AM
> To: bind-users at isc.org
> Subject: DNS and TCP
> 
> 
> There is a recent/current thread about TCP packets being used for DNS
> communication, and this brought up a question for me.
> 
> Can anyone provide any examples of "reasonable" DNS queries that would
> overflow a UDP packet and require retransmission using TCP?  Specific,
> non-contrived, examples would be appreciated.

Zone Transfers Require TCP.  Allow it through the FW....

Dave...

> 
> I fully understand that if too much data is being provided in the DNS
> response (>512 bytes) then TCP retransmission will be necessary.  My
> problem is that at work (which will remain nameless), someone managing
> the network has blocked incoming TCP traffic on port 53.  This means
> that, in general, no one can obtain DNS information using TCP.  This
> was done under the belief that the only reason for DNS to use TCP is
> for zone transfers, and that these must be blocked.
> 
> I would like to provide them an example of where their blocking DNS
> services using TCP may cause problems.  Specific possibilities that I
> can imagine would include:
> 
> 	Large numbers of glue records (lots of NS records for the zone)
> 
> 	Large numbers of answers (multiple records, maybe MX records?)
> 
> 	Large answers (a large TXT record)
> 
> Contriving such a situation would be trivial, I have done this using
> long TXT records, but can anyone provide an example that really is
> being used out there?
> 
> Thanks,
> 
> Bill Larson (wllarso at swcp.com)



More information about the bind-users mailing list