Use of TCP port 53 for queries?

Brad Knowles brad.knowles at skynet.be
Mon Mar 12 23:20:05 UTC 2001 

At 5:22 PM -0500 3/12/01, Jim Ault wrote:

>  My question is:  Under what circumstances does a client initiate a UDP
>  resolver query, and under what circumstances does a client initiate a TCP
>  resolver query?

	Unless otherwise specified by the program making the call to the 
resolver library, and unless the query is for type AXFR (Zone 
Transfer), then a UDP query should initially be used.

	If the UDP query results in an answer that has the truncation bit 
set in the authority section (there was too much data in the response 
and we didn't even get all the authoritative information), then the 
query should be restarted with TCP.

	If the query results in a truncation in the additional section 
(there was too much data in the response, but we got at least all the 
authoritative information and at least some of the additional 
information), then the application has the choice to retry the query 
with TCP, but this probably won't be done automatically by the 
resolver library.


	For zone transfers, or where the application calling the resolver 
library explicitly asks for a "virtual circuit" to be used, then the 
query will be started with TCP.

>  If something comes in on TCP port 53 is it ALWAYS guaranteed to be a zone
>  transfer?  I don't think so, but I can't find documentation to make the
>  case clear.

	No.  There are legitimate uses of DNS via TCP for things other 
than zone transfers.  This is why having your router or firewall 
block TCP to port 53 is a really bad idea -- you may *think* it just 
stops zone transfers, but in reality it stops other stuff too, and 
you may get a whole host of bizarre problems that result and which 
you cannot explain.

	If you want to block zone transfers, there are much better 
control mechanisms to do that from within BIND itself.  Under no 
circumstances should you attempt to block zone transfers by blocking 
TCP to port 53.

>  If a client of the internal DNS server generates a TCP resolver query on
>  a random high port, does BIND v9.1.0 keep the high port when it forwards
>  the query to the external DNS forwarder host?

	No, that should be forwarded with a port number obtained by the 
forwarding server.

--
Brad Knowles, <brad.knowles at skynet.be>

#!/usr/bin/perl -w
# 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu>
# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order
# Usage:
# qrpff 153 2 8 105 225 /mnt/dvd/VOB_FILE_NAME | extract_mpeg2 | mpeg2_dec -
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval

More information about the bind-users mailing list