about tcp port 53

Mark Elkins mje at posix.co.za
Wed Jul 29 07:27:14 UTC 2009


On Wed, 2009-07-29 at 12:35 +0800, Tech W. wrote:
> --- On Tue, 28/7/09, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> > > what's the use of bind's tcp port 53?
> > DNS requests and responses.
> oh, I was always thinking dns requests and responses are going with udp protocal. under what condition it uses tcp protocal?

If a UDP reply packet comes back truncated, the query machine may ask
again via TCP.
ie if the reply is over 512 bytes and one end doesn't support EDNS(0) or
perhaps a "firewall" in the path truncates a UDP reply to 512 bytes?
DNSSEC and IPv6 both help to push replies over that 512 byte limit.
Your "local registry" (ccTLD) could choose to ask on TCP if they
validate your DNS records before inserting them into their zone?
(Of course - zone transfers and updates use TCP)

So one could view TCP as a safeguard for when UDP can't get through,
though UDP is far more efficient a mechanism to deliver DNS queries
which is why EDNS(0) was provided as an Extension to DNS (Version 0) -
to allow for UDP packets larger than 512 (up to 4096?).

The "Kaminsky Attack" (or compromise) should have been a good reason for
everyone using BIND to upgrade to a version of BIND that supports
EDNS(0) - yet in /var/log/messages, I still get loads of:-
named[4027]: success resolving 'hub.linksdelmundo.com/AAAA' (in
'linksdelmundo.com'?) after reducing the advertised EDNS UDP packet size
to 512 octets

Anyway, consider your configuration broken (or incomplete) if you can
not answer DNS queries on both UDP and TCP.

-- 
  .  .     ___. .__      Posix Systems - Sth Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496




More information about the bind-users mailing list