Use of TCP port 53 for queries?
Brad Knowles
brad.knowles at skynet.be
Mon Mar 12 23:20:05 UTC 2001
At 5:22 PM -0500 3/12/01, Jim Ault wrote:
> My question is: Under what circumstances does a client initiate a UDP
> resolver query, and under what circumstances does a client initiate a TCP
> resolver query?
Unless otherwise specified by the program making the call to the
resolver library, and unless the query is for type AXFR (Zone
Transfer), then a UDP query should initially be used.
If the UDP query results in an answer that has the truncation bit
set in the authority section (there was too much data in the response
and we didn't even get all the authoritative information), then the
query should be restarted with TCP.
If the query results in a truncation in the additional section
(there was too much data in the response, but we got at least all the
authoritative information and at least some of the additional
information), then the application has the choice to retry the query
with TCP, but this probably won't be done automatically by the
resolver library.
For zone transfers, or where the application calling the resolver
library explicitly asks for a "virtual circuit" to be used, then the
query will be started with TCP.
> If something comes in on TCP port 53 is it ALWAYS guaranteed to be a zone
> transfer? I don't think so, but I can't find documentation to make the
> case clear.
No. There are legitimate uses of DNS via TCP for things other
than zone transfers. This is why having your router or firewall
block TCP to port 53 is a really bad idea -- you may *think* it just
stops zone transfers, but in reality it stops other stuff too, and
you may get a whole host of bizarre problems that result and which
you cannot explain.
If you want to block zone transfers, there are much better
control mechanisms to do that from within BIND itself. Under no
circumstances should you attempt to block zone transfers by blocking
TCP to port 53.
> If a client of the internal DNS server generates a TCP resolver query on
> a random high port, does BIND v9.1.0 keep the high port when it forwards
> the query to the external DNS forwarder host?
No, that should be forwarded with a port number obtained by the
forwarding server.
--
Brad Knowles, <brad.knowles at skynet.be>
#!/usr/bin/perl -w
# 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu>
# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order
# Usage:
# qrpff 153 2 8 105 225 /mnt/dvd/VOB_FILE_NAME | extract_mpeg2 | mpeg2_dec -
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval
More information about the bind-users
mailing list