[lug] TCP port 53?
Jonathan
rise at knavery.net
Wed Jul 21 05:07:03 MDT 2004
On Tue, 20 Jul 2004 Dan Ferris wrote:
> You don't have to open tcp 53 for regular DNS, only for servers that
> will be doing zone xfers (secondary servers).
You seem to have missed the last several posts. There are
circumstances other than zone transfers under which DNS will use TCP
and blocking tcp/53 can cause sporadic and difficult to diagnose
errors - zone transfers just happen to require them. One of these is
when an RRSet is too large to fit in the response and another is when
an application chooses to use TCP explicitely.
>From RFC1123 / STD0003:
Requirements for Internet Hosts -- Application and Support
6.1.3.2 Transport Protocols
DNS resolvers and recursive servers MUST support UDP, and SHOULD
support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first. If the
Answer section of the response is truncated and if the requester
supports TCP, it SHOULD try the query again using TCP.
DNS servers MUST be able to service UDP queries and SHOULD be able
to service TCP queries
[...]
However, it is also clear that some new DNS record types defined
in the future will contain information exceeding the 512 byte
limit that applies to UDP, and hence will require TCP. Thus,
resolvers and name servers should implement TCP services as a
backup to UDP today, with the knowledge that they will require the
TCP service in the future.
With the usage of large numbers of servers for load-balancing and name
servers for redundancy the need for TCP can be encountered in the
wild. On a day to day basis most queries will work without it, but
when they start failing it's easy to overlook why. You don't gain
anything real in security by blocking tcp/53 and you do lose some
amount of reliability & interoperability.
--
Jonathan Conway rise at knavery.net
More information about the LUG
mailing list