Web lists-archives.com

Re: BIND DNS problem after upgrading from Wheezy to Squeeze




Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
> Le 29/12/2017 à 18:27, Andrew W a écrit :
>> 
>> On 27/12/2017 13:18, Bernhard Schmidt wrote:
>>> Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
>>> packets. You might have an issue with UDP fragments being dropped at
>>> your firewall/NAT Gateway?
>>>
>> Thanks for this tip. Looking into it I discovered TCP seems to be 
>> recommened for DNSSEC so Ive enabled TCP port 53  and so far not had a 
>> problem!
>
> AFAIK TCP is just a fall-back transport to work around UDP packet size 
> issues. Compared to UDP, TCP transport for DNS wastes system and network 
> resources.

Yes and no. For a single query, UDP is indeed more efficient. You can
have long-standing TCP connections though (multiple queries through the
same TCP channel, sometimes used between Client and Resolver, optionally
with TLS), UDP > 1400 Bytes (Fragments) is often blocked by Firewalls or
misconfigured links, and due to the possibility of spoofing in UDP
(reflexive DDoS) some authoritative servers force clients to use TCP
(i.e. RRL or DNS COOKIE).

IOW, if you block TCP outbound for your resolver, you are asking for
trouble.

Bernhard