BIND 9.2.1 and TCP
zack.nash at amd.com
zack.nash at amd.com
Thu Nov 7 18:15:19 UTC 2002
The FQDN is nash.amd.com. and the total number of name servers is 24 with an A record per name server.
my configuration is:
acl "access1" { 127.0.0.1/32; # localhost
<my ip is here> # my host
};
acl "access2" { <some other IPs>
};
options {
directory "/var/named";
pid-file "/var/named/named.pid";
version "Name Server 1.0";
allow-transfer { 127.0.0.1/32; };
};
view "access2" {
match-clients { "access2"; };
allow-transfer { none; };
notify no;
<Zone Information>
};
view "access1" {
match-clients { "access1" };
query-source address * port 53;
allow-transfer { none; };
notify no;
<Zone Information>
};
We noticed the issue because there is a firewall that blocks TCP 53 between a subset of the hosts that use this server to query.
We have seen that the client makes a udp request to the name server, then the name server responds requesting a tcp request, the client responds making a tcp request but is blocked.
Named is also running in a jail as well, an OS level jail as well as the application is jailed using the -t and running as an unprivileged user.
Thanks,
Zack
-----Original Message-----
From: Mark Damrose [mailto:mdamrose at elgin.cc.il.us]
Sent: Wednesday, November 06, 2002 7:04 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: BIND 9.2.1 and TCP
<zack.nash at amd.com> wrote in message news:aqcgls$5cp$1 at isrv4.isc.org...
>
> The request is for a single A record, ( nash 3600 IN A 192.168.0.1 ),
would this be too large to fit in a UDP packet.
Probably not, but...
What's the fully qualified name?
How many name servers?
How many A records for those name server?
> Also we have BIND 8 servers that serve the same information and they do
not revert to >TCP for these records. Could this possibly be a
misconfiguration on my part,
Yes it could, but you haven't specified any information about how you have
it configured. Do you have a firewall between the clients and the server
blocking udp? on the server? on the clients?
> or is there no way to restrict the server to only using udp?
The server should respond in whatever manner the client makes the request.
> Thanks,
> Zack
>
> -----Original Message-----
> From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> Sent: Wednesday, November 06, 2002 4:25 PM
> To: Nash, Zack
> Cc: bind-users at isc.org
> Subject: Re: BIND 9.2.1 and TCP
>
>
>
> > Hello,
> > I have noticed that my BIND 9.2.1 servers are requesting that my DNS Cl
> > ients use TCP rather than UDP to resolve hostnames, for all queries
against t
> > his server.
> > My understanding is that UDP is used unless the packet is too large the
> > n the server will request a TCP connection from the client. I have seen
this
> > occur for queries of a single A record. Is this behavior a bug or is
this a
> > new standard that is being implemented with the advent of BIND 9?
> > Thanks,
> > Zack
>
> Well the answers must be too big to fit in the space available in a
> UDP response. Remember the authority section can also trigger TC.
>
> Mark
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
>
>
More information about the bind-users
mailing list