Can I forward DNS request using TCP?

Kevin Darcy kcd at chrysler.com
Tue Jul 22 00:54:54 UTC 2008 

igor wrote:
> I have configured a forward DNS server in Linux, unfortunately it
> seems that the UDP packets are being lost therefore my server is
> giving "service failure" to its clients.
>   
BIND has an aggressive, persistent retry regime. Are you dropping SO 
MANY packets? What's your drop percentage?

Are you sure UDP to port 53 isn't completely *blocked* (or possibly 
throttled?) somewhere upstream? Are you able to make exactly *the*same* 
queries successfully with TCP as fail with UDP?

What source port(s) are you using? If you're locking your source port to 
53, then a) that source port may be blocked/throttled by your upstream 
provider, and b) even if it isn't, it's really bad to be locked to a 
given source port, given the nasty response-forgery exploit that's about 
to be disclosed to the public (including the hackers).

It's possible that your upstream provider may be doing you a *favor* by 
blocking UDP source port 53, thus forcing you to unlock it and making 
you more secure.

Or, maybe they just don't want you hosting your own DNS server on your 
"sub-enterprise-class" account with them, and this is their (lazy? 
incompetent?) way of preventing you from doing that.
> I haven't found a way to make the forward requests go via TCP over the
> forwarders.
>
> Can you please tell me if this is doable or not? Is there a parameter
> on named.conf or named.boot I need to change 
Not doable.
> or do I need to get the
> named source and "hack it".
>
>   
I wouldn't recommend it. TCP is a hog, and if you're really getting 
TERRIBLE drop rates for your packets, that drop rate is most likely 
going to affect TCP as well as UDP, the only real difference being that 
in the case of TCP, your network stack will be performing the retries; 
with UDP, named itself does the retries. In fact, by forcing TCP you may 
exacerbate the problem by putting even *more* traffic on the link (SYN, 
SYN-ACK, ACK, FIN, FIN-ACK, etc.), thus possibly saturating it even more.

Question: why are you using forwarding at all? It doesn't usually 
provide a benefit.

                                                                         
                     - Kevin

More information about the bind-users mailing list