Can I forward DNS request using TCP?
Kevin Darcy
kcd at chrysler.com
Tue Jul 22 00:54:54 UTC 2008
igor wrote:
> I have configured a forward DNS server in Linux, unfortunately it
> seems that the UDP packets are being lost therefore my server is
> giving "service failure" to its clients.
>
BIND has an aggressive, persistent retry regime. Are you dropping SO
MANY packets? What's your drop percentage?
Are you sure UDP to port 53 isn't completely *blocked* (or possibly
throttled?) somewhere upstream? Are you able to make exactly *the*same*
queries successfully with TCP as fail with UDP?
What source port(s) are you using? If you're locking your source port to
53, then a) that source port may be blocked/throttled by your upstream
provider, and b) even if it isn't, it's really bad to be locked to a
given source port, given the nasty response-forgery exploit that's about
to be disclosed to the public (including the hackers).
It's possible that your upstream provider may be doing you a *favor* by
blocking UDP source port 53, thus forcing you to unlock it and making
you more secure.
Or, maybe they just don't want you hosting your own DNS server on your
"sub-enterprise-class" account with them, and this is their (lazy?
incompetent?) way of preventing you from doing that.
> I haven't found a way to make the forward requests go via TCP over the
> forwarders.
>
> Can you please tell me if this is doable or not? Is there a parameter
> on named.conf or named.boot I need to change
Not doable.
> or do I need to get the
> named source and "hack it".
>
>
I wouldn't recommend it. TCP is a hog, and if you're really getting
TERRIBLE drop rates for your packets, that drop rate is most likely
going to affect TCP as well as UDP, the only real difference being that
in the case of TCP, your network stack will be performing the retries;
with UDP, named itself does the retries. In fact, by forcing TCP you may
exacerbate the problem by putting even *more* traffic on the link (SYN,
SYN-ACK, ACK, FIN, FIN-ACK, etc.), thus possibly saturating it even more.
Question: why are you using forwarding at all? It doesn't usually
provide a benefit.
- Kevin
More information about the bind-users
mailing list