BIND 9.2.1 and TCP

zack.nash at amd.com zack.nash at amd.com
Thu Nov 7 18:15:19 UTC 2002 

The FQDN is nash.amd.com. and the total number of name servers is 24 with an A record per name server.

my configuration is:

acl "access1" {      127.0.0.1/32;           # localhost
                     <my ip is here>	   # my host
        };

acl "access2" {        <some other IPs>
        };
options {
        directory "/var/named";
        pid-file "/var/named/named.pid";
        version "Name Server 1.0";
        allow-transfer { 127.0.0.1/32; };
};

view "access2" {
        match-clients { "access2"; };
        allow-transfer { none; };
        notify no;

       <Zone Information>

};


view "access1" {
        match-clients { "access1" };
        query-source address * port 53;
        allow-transfer { none; };
        notify no;

       <Zone Information>

};

We noticed the issue because there is a firewall that blocks TCP 53 between a subset of the hosts that use this server to query.  
We have seen that the client makes a udp request to the name server, then the name server responds requesting a tcp request, the client responds making a tcp request but is blocked.

Named is also running in a jail as well, an OS level jail as well as the application is jailed using the -t and running as an unprivileged user.


Thanks,
Zack
 


-----Original Message-----
From: Mark Damrose [mailto:mdamrose at elgin.cc.il.us]
Sent: Wednesday, November 06, 2002 7:04 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: BIND 9.2.1 and TCP


<zack.nash at amd.com> wrote in message news:aqcgls$5cp$1 at isrv4.isc.org...
>
> The request is for a single A record, ( nash 3600 IN A 192.168.0.1 ),
would this be too large to fit in a UDP packet.

Probably not, but...
What's the fully qualified name?
How many name servers?
How many A records for those name server?

> Also we have BIND 8 servers that serve the same information and they do
not revert to >TCP for these records.  Could this possibly be a
misconfiguration on my part,

Yes it could, but you haven't specified any information about how you have
it configured.  Do you have a firewall between the clients and the server
blocking udp?  on the server? on the clients?

> or is there no way to restrict the server to only using udp?

The server should respond in whatever manner the client makes the request.

> Thanks,
> Zack
>
> -----Original Message-----
> From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> Sent: Wednesday, November 06, 2002 4:25 PM
> To: Nash, Zack
> Cc: bind-users at isc.org
> Subject: Re: BIND 9.2.1 and TCP
>
>
>
> > Hello,
> > I have noticed that my BIND 9.2.1 servers are requesting that my DNS Cl
> > ients use TCP rather than UDP to resolve hostnames, for all queries
against t
> > his server.
> > My understanding is that UDP is used unless the packet is too large the
> > n the server will request a TCP connection from the client.  I have seen
this
> >  occur for queries of a single A record.  Is this behavior a bug or is
this a
> >  new standard that is being implemented with the advent of BIND 9?
> > Thanks,
> > Zack
>
> Well the answers must be too big to fit in the space available in a
> UDP response.  Remember the authority section can also trigger TC.
>
> Mark
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>
>

More information about the bind-users mailing list