tcp limitations

[Guy Pazi]

> -----Original Message-----
> From: Jim Reid [mailto:jim at rfc1035.com]
> Sent: Tuesday, 12 June, 2001 3:21 PM
> To: Guy Pazi
> Cc: Brad Knowles; bind-users at isc.org
> Subject: Re: tcp limitations
>
>
> >>>>> "Guy" == Guy Pazi <guy at wanwall.com> writes:
>
>     >> If you block all UDP traffic, DNS will not work. End of
>     >> story. Name servers use UDP *by default* and only use TCP when
>     >> a UDP answer is truncated. So either you get someone with a
>     >> clue to define your security policy and configure your firewall
>     >> appropriately or else you put your name servers outside the
>     >> firewall. There is no alternative.
>
>     Guy> My configuration IS with EXTERNAL dns servers.  The type of
>     Guy> transport protocol between a resolver and a name server is
>     Guy> dependant on the resolver, therefore, configuring the
>     Guy> INTERNAL resolvers to query the server using tcp only will
>     Guy> result only with tcp traffic. The question was, does a name
>     Guy> server keep query states in order to verify a tcp query was
>     Guy> preceded with truncated udp one, or does it ignore tcp
>     Guy> queries that could have been answered via udp, or will it
>     Guy> just answer.  The answers I've received so far, suggest there
>     Guy> is no problem with that.  The only problem remains is that
>     Guy> tcp queries will overload the dns server more then udp ones
>     Guy> and my fear is that if all my queries will be over tcp, The
>     Guy> server will ignore them.
>
> Frankly, this verges on insanity. Rather than fix your firewall to do
> the right thing, you propose changing the standard behavior of every
> piece of DNS software that will ever live inside your network. Good
> luck. Have you any idea of the maintenance and administrative
> nightmare you'd be making for yourself? And what if somebody installs
> some new software that stamps all over your hypothetical TCP-only
> resolver? Or secretly uses its own UDP-only resolver? Oh and let's not
> overlook the overhead of the three-way TCP handshake to set up the
> connection. Every DNS lookup really needs that latency in front of it.
>

Jim,
I appreciate your honesty, and I'm already much aware of the problems I'll
be facing. this includes administrative, higher traffic volume, 3-hand-shake
latency, future adaptions and all kind of other monsters out there.
I appreciate your concern, and I understand your outrage, but these are my
problems, it will effect no one but my company, so I'm not sure why you keep
preaching me.
My answer wasn't if this configuration make sense, as you have no idea of
the other restrictions I'm facing. I was searching for an answer to a
specific question: "what is the down scale between a name server's
capabilities to handle dns queries over tcp instead of over udp". If you
know the answer or can estimate it, I'll appreciate your help. Your
disapproval of my configuration was already understood.

Guy