tcp limitations
Brad Knowles
brad.knowles at skynet.be
Mon Jun 11 07:30:56 UTC 2001
At 9:57 AM +0200 6/11/01, Guy Pazi wrote:
> what I meant was, do bind servers allow regular queries, besides zone
> transfer, to be accepted over tcp, without first being queried over udp.
Sure. Here's an example of two separate commands, each of which
generated completely independent DNS queries:
% dig aol.com. any
; <<>> DiG 9.1.2 <<>> aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2799
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 12
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 357 IN A 205.188.160.121
aol.com. 357 IN A 64.12.149.13
aol.com. 357 IN A 64.12.149.24
aol.com. 3580 IN NS dns-01.ns.aol.com.
aol.com. 3580 IN NS dns-02.ns.aol.com.
aol.com. 3580 IN MX 15 mailin-04.mx.aol.com.
aol.com. 3580 IN MX 15 mailin-01.mx.aol.com.
aol.com. 3580 IN MX 15 mailin-02.mx.aol.com.
aol.com. 3580 IN MX 15 mailin-03.mx.aol.com.
aol.com. 3594 IN SOA dns-01.ns.aol.com.
hostmaster.aol.net. 2001060800 1800 300 604800 3600
;; AUTHORITY SECTION:
aol.com. 3580 IN NS dns-01.ns.aol.com.
aol.com. 3580 IN NS dns-02.ns.aol.com.
;; ADDITIONAL SECTION:
dns-01.ns.aol.com. 1329 IN A 152.163.159.232
dns-02.ns.aol.com. 2998 IN A 205.188.157.232
mailin-04.mx.aol.com. 3580 IN A 152.163.224.122
mailin-04.mx.aol.com. 3580 IN A 205.188.158.25
mailin-04.mx.aol.com. 3580 IN A 205.188.156.249
mailin-01.mx.aol.com. 3580 IN A 152.163.224.26
mailin-01.mx.aol.com. 3580 IN A 64.12.136.57
mailin-01.mx.aol.com. 3580 IN A 205.188.156.122
mailin-01.mx.aol.com. 3580 IN A 205.188.157.25
mailin-02.mx.aol.com. 3580 IN A 64.12.136.89
mailin-02.mx.aol.com. 3580 IN A 205.188.156.154
mailin-02.mx.aol.com. 3580 IN A 64.12.136.121
;; Query time: 4 msec
;; SERVER: 10.1.2.3#53(0.0.0.0)
;; WHEN: Mon Jun 11 03:15:48 2001
;; MSG SIZE rcvd: 499
% dig aol.com. any +vc
; <<>> DiG 9.1.2 <<>> aol.com. any +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7629
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 15
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 353 IN A 205.188.160.121
aol.com. 353 IN A 64.12.149.13
aol.com. 353 IN A 64.12.149.24
aol.com. 3576 IN NS dns-01.ns.aol.com.
aol.com. 3576 IN NS dns-02.ns.aol.com.
aol.com. 3576 IN MX 15 mailin-04.mx.aol.com.
aol.com. 3576 IN MX 15 mailin-01.mx.aol.com.
aol.com. 3576 IN MX 15 mailin-02.mx.aol.com.
aol.com. 3576 IN MX 15 mailin-03.mx.aol.com.
aol.com. 3590 IN SOA dns-01.ns.aol.com.
hostmaster.aol.net. 2001060800 1800 300 604800 3600
;; AUTHORITY SECTION:
aol.com. 3576 IN NS dns-01.ns.aol.com.
aol.com. 3576 IN NS dns-02.ns.aol.com.
;; ADDITIONAL SECTION:
dns-01.ns.aol.com. 1325 IN A 152.163.159.232
dns-02.ns.aol.com. 2994 IN A 205.188.157.232
mailin-04.mx.aol.com. 3576 IN A 152.163.224.122
mailin-04.mx.aol.com. 3576 IN A 205.188.158.25
mailin-04.mx.aol.com. 3576 IN A 205.188.156.249
mailin-01.mx.aol.com. 3576 IN A 152.163.224.26
mailin-01.mx.aol.com. 3576 IN A 64.12.136.57
mailin-01.mx.aol.com. 3576 IN A 205.188.156.122
mailin-01.mx.aol.com. 3576 IN A 205.188.157.25
mailin-02.mx.aol.com. 3576 IN A 64.12.136.89
mailin-02.mx.aol.com. 3576 IN A 205.188.156.154
mailin-02.mx.aol.com. 3576 IN A 64.12.136.121
mailin-03.mx.aol.com. 3576 IN A 152.163.224.88
mailin-03.mx.aol.com. 3576 IN A 64.12.136.153
mailin-03.mx.aol.com. 3576 IN A 205.188.156.186
;; Query time: 4 msec
;; SERVER: 0.0.0.0#53(0.0.0.0)
;; WHEN: Mon Jun 11 03:15:52 2001
;; MSG SIZE rcvd: 547
I used this particular example, so that you could see the larger
amount of data returned when the initial query was made using TCP (or
a "Virtual Connection" in DNS parlance). We can also show similar
queries when we're directly asking the AOL nameservers:
% dig @dns-01.ns.aol.com. aol.com. any
; <<>> DiG 9.1.2 <<>> @dns-01.ns.aol.com. aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45732
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 12
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 3600 IN MX 15 mailin-01.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-02.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-03.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-04.mx.aol.com.
aol.com. 3600 IN NS dns-01.ns.aol.com.
aol.com. 3600 IN NS dns-02.ns.aol.com.
aol.com. 3600 IN SOA dns-01.ns.aol.com.
hostmaster.aol.net. 2001060800 1800 300 604800 3600
aol.com. 3600 IN A 205.188.160.121
aol.com. 3600 IN A 64.12.149.13
aol.com. 3600 IN A 64.12.149.24
;; AUTHORITY SECTION:
aol.com. 3600 IN NS dns-01.ns.aol.com.
aol.com. 3600 IN NS dns-02.ns.aol.com.
;; ADDITIONAL SECTION:
mailin-01.mx.aol.com. 3600 IN A 152.163.224.26
mailin-01.mx.aol.com. 3600 IN A 64.12.136.57
mailin-01.mx.aol.com. 3600 IN A 205.188.156.122
mailin-01.mx.aol.com. 3600 IN A 205.188.157.25
mailin-02.mx.aol.com. 3600 IN A 64.12.136.89
mailin-02.mx.aol.com. 3600 IN A 205.188.156.154
mailin-02.mx.aol.com. 3600 IN A 64.12.136.121
mailin-03.mx.aol.com. 3600 IN A 152.163.224.88
mailin-03.mx.aol.com. 3600 IN A 64.12.136.153
mailin-03.mx.aol.com. 3600 IN A 205.188.156.186
dns-01.ns.aol.com. 3600 IN A 152.163.159.232
dns-02.ns.aol.com. 3600 IN A 205.188.157.232
;; Query time: 5 msec
;; SERVER: 152.163.159.232#53(dns-01.ns.aol.com.)
;; WHEN: Mon Jun 11 03:18:08 2001
;; MSG SIZE rcvd: 499
% dig @dns-01.ns.aol.com. aol.com. any +vc
; <<>> DiG 9.1.2 <<>> @dns-01.ns.aol.com. aol.com. any +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31826
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 15
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 3600 IN MX 15 mailin-01.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-02.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-03.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-04.mx.aol.com.
aol.com. 3600 IN NS dns-01.ns.aol.com.
aol.com. 3600 IN NS dns-02.ns.aol.com.
aol.com. 3600 IN SOA dns-01.ns.aol.com.
hostmaster.aol.net. 2001060800 1800 300 604800 3600
aol.com. 3600 IN A 205.188.160.121
aol.com. 3600 IN A 64.12.149.13
aol.com. 3600 IN A 64.12.149.24
;; AUTHORITY SECTION:
aol.com. 3600 IN NS dns-01.ns.aol.com.
aol.com. 3600 IN NS dns-02.ns.aol.com.
;; ADDITIONAL SECTION:
mailin-01.mx.aol.com. 3600 IN A 152.163.224.26
mailin-01.mx.aol.com. 3600 IN A 64.12.136.57
mailin-01.mx.aol.com. 3600 IN A 205.188.156.122
mailin-01.mx.aol.com. 3600 IN A 205.188.157.25
mailin-02.mx.aol.com. 3600 IN A 64.12.136.89
mailin-02.mx.aol.com. 3600 IN A 205.188.156.154
mailin-02.mx.aol.com. 3600 IN A 64.12.136.121
mailin-03.mx.aol.com. 3600 IN A 152.163.224.88
mailin-03.mx.aol.com. 3600 IN A 64.12.136.153
mailin-03.mx.aol.com. 3600 IN A 205.188.156.186
mailin-04.mx.aol.com. 3600 IN A 152.163.224.122
mailin-04.mx.aol.com. 3600 IN A 205.188.158.25
mailin-04.mx.aol.com. 3600 IN A 205.188.156.249
dns-01.ns.aol.com. 3600 IN A 152.163.159.232
dns-02.ns.aol.com. 3600 IN A 205.188.157.232
;; Query time: 5 msec
;; SERVER: 152.163.159.232#53(dns-01.ns.aol.com.)
;; WHEN: Mon Jun 11 03:18:12 2001
;; MSG SIZE rcvd: 547
> I.e. do name servers REQUIRES an initial udp query to be first truncated
> before it will allow a matching tcp query, or do they accept tcp queries
> without questioning? And how common is it out there, to have name servers
> that don't answer any tcp (non-zone-transfer) queries at all?
TCP queries can be generated at any time, for any reason. No
matter what the circumstance, a properly implemented nameserver
should answer those queries, regardless of whether or not a
particular TCP query has been preceded or not by a particular UDP
query.
However, keep in mind that many sites mistakenly block TCP port
53, because they think that this will make them secure against
someone outside their network being able to do a zone transfer of
their DNS data.
Therefore, if you block UDP on both sides of the nameserver,
there are a lot of sites out there that you will not be able to
access (and who may not be able to access your site).
Moreover, there are a lot of improperly implemented nameservers
that do not restart with TCP a UDP query that resulted in a truncated
answer. So, none of these sites would be able to access your site,
either.
Generally speaking, if you're going to be using the DNS, you
should not be blocking either UDP or TCP port 53 traffic at the
firewall to/from the nameserver(s). Both UDP and TCP port 53 should
be allowed through to the nameserver(s), and if you want to secure
yourself against zone transfer, etc... then you should use the
built-in tools to do that.
> Blocking all udp traffic is critical for our company, so leaving it open in
> the firewall is not an option.
Then you're screwed. There going to be huge chunks of the
Internet that you will not be able to access, and will not be able to
access your site. Technically, UDP port 53 traffic is not a
pre-requisite, but in practice, there are so many badly implemented
servers, firewalls, and DNS clients out there that you're just not
going to be able to do very much if you block all UDP traffic.
> Changing the network structure is impossible as well.
Then you're really screwed.
> What's left is to minimize dns queries (all tcp). But how much is acceptable
> in ratio with udp queries?
So far as I know, there are no applications or DNS clients which
default to using TCP for the initial query. They all use UDP first,
and then hopefully will have the query restarted with TCP if the
result is truncated.
As I demonstrated above, you can certainly get around this
problem if you write your application in such a way as to do so, but
then you'd have to rewrite all OSes on all hardware platforms that
have ever existed, for the entire Internet. This is obviously not a
feasible task.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list