DNS and TCP

Simon Waters Simon at wretched.demon.co.uk
Wed Oct 2 17:08:28 UTC 2002 

Bill Larson wrote:
> 
> I would like to provide them an example of where their blocking DNS
> services using TCP may cause problems.  Specific possibilities that I
> can imagine would include:
> 
>         Large numbers of glue records (lots of NS records for the zone)
> 
>         Large numbers of answers (multiple records, maybe MX records?)
> 
>         Large answers (a large TXT record)
> 
> Contriving such a situation would be trivial, I have done this using
> long TXT records, but can anyone provide an example that really is
> being used out there?

Few such domains exists, largely because people incorrectly
block TCP, so if it is the answer to a normal query the site
quickly figures out how to get it below 512 bytes, or vanishes.

In DNS troubleshooting you sometimes issues queries that aren't
typical, such as any "any" query rather than "A", "MX" or "PTR".

i.e.

"dig expedia.com any"

Although pragmatically expedia.com doesn't matter, as if you
query the servers directly they will truncate at 512 in the
middle of the additional section.

Also some sites hosting multiple websites on the same IP address
sometimes add all these domain names as PTR records for that IP
address, daft, but it happens. I don't have an example to hand,
I tried a few cases reported in this group before, but they have
all gone (probably says something about the prospects of hosting
companies who are technically clueless).

More to the point if you accidently make your zone return a
query over 512, and block TCP, you'll shoot yourself in the foot
big time, rather than just breaking DNS for those who
incorrectly block TCP themselves. One way makes you look stupid,
with the other at least you can blaim other peoples daft
settings for why their email didn't make it ;-) Similarly if
your companies best customer makes the same "mistake", you'd
still like to get email to them I suspect. So even if it doesn't
matter today, it is setting yourselves up for unnecessary
glitches in the future.

Obviously DNSSEC and IPv6 may eventually change the size of the
typical DNS queries.

More information about the bind-users mailing list