BIND and TCP
Kevin Darcy
kcd at daimlerchrysler.com
Sat Sep 24 00:01:15 UTC 2005
Michael Bernhardt wrote:
>I'm running BIND 9.2.3. Our outside servers are set to only allow zone
>transfers to our ISP's slave. Our firewall is set to only allow UDP packets
>to them, except to/from that slave. But we can see that the server does
>attempt TCP traffic to other DNS servers anyway. No one seems to complain
>about poor performance but maybe the lack of TCP shows up in other ways?
>
>I understand that BIND will use TCP for queries when the packet size of 512
>is insufficient (if that's not correct, please educate me). I also am to
>understand the RFC supposedly requires that DNS use TCP in these
>circumstances. But we do not want to be bothered with everyone and their
>bored brothers being able to do any more than absolutely necessary.
>
>Is there a way to tell BIND to never use TCP? Does anyone have
>recommendations on how to best balance security and proper application, with
>the edge going toward security? Can't find anything on this in the O'Reilly
>BIND book but maybe I missed it.
>
Frankly, I think that's a rather irresponsible attitude. "No one seems
to complain" about the fact that you're blocking responses to their
queries for no good reason?!?!?! Maybe you've just been lucky so far,
but it's going to be your ass on the line if some important VIP's app
fails some day because of your poor DNS infrastructure design decision.
EDNS0 will lessen the need for TCP retry, but there will always be
situations where it is necessary. And you do a disservice to your users,
IMO, by being more concerned about "bored brothers" and what they may be
up to, than you are about their ability to resolve perfectly legitimate
DNS queries.
- Kevin
More information about the bind-users
mailing list