DNS Flag Day: I had to open the TCP/53 port

Ben Croswell ben.croswell at gmail.com
Mon Feb 4 14:04:05 UTC 2019


When a DNS response is too large to fit in a single UDP packet, 512 bytes
up to 4k with edns, the DNS server will respond with as much as it can fit
in the UDP packet. It will also set the truncate, TC, bit to let the client
doing the query that the answer is truncated and the client should query
again over TCP for the full answer.

The TC bit is also used in conjunction with RRL.

On Mon, Feb 4, 2019, 8:57 AM Roberto Carna <robertocarna36 at gmail.com wrote:

> Thanks Ben for your response, can you tell me the types of TCP traffic I
> have to expect in BIND, excepting Zone Tansfer?
>
> Thans a lot again!!!
>
> El lun., 4 feb. 2019 a las 10:50, Ben Croswell (<ben.croswell at gmail.com>)
> escribió:
>
>> BIND has always required UDP and TCP 53 for proper functionality. It
>> sometimes mistakenly believed that TCP is only for zone transfers but that
>> is not the case.
>>
>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna <robertocarna36 at gmail.com
>> wrote:
>>
>>> Dear, I have a BIND 9.10 public server and I have delegated some public
>>> domains.
>>>
>>> When I test these domains with the EDNS tool offered in the DNS Flag Day
>>> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>>>
>>> After that, when I opened also TCP/53 port, the test was succesful.
>>>
>>> Please can you explain me the reason I have to open TCP/53 port to
>>> Internet from February 1st to the future???
>>>
>>> Really thanks, regards.
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190204/f76e7d99/attachment.html>


More information about the bind-users mailing list