On Wed, 2009-07-29 at 12:35 +0800, Tech W. wrote: > --- On Tue, 28/7/09, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > > what's the use of bind's tcp port 53? > > DNS requests and responses. > oh, I was always thinking dns requests and responses are going with udp > protocal. under what condition it uses tcp protocal?
If a UDP reply packet comes back truncated, the query machine may ask again via TCP. ie if the reply is over 512 bytes and one end doesn't support EDNS(0) or perhaps a "firewall" in the path truncates a UDP reply to 512 bytes? DNSSEC and IPv6 both help to push replies over that 512 byte limit. Your "local registry" (ccTLD) could choose to ask on TCP if they validate your DNS records before inserting them into their zone? (Of course - zone transfers and updates use TCP) So one could view TCP as a safeguard for when UDP can't get through, though UDP is far more efficient a mechanism to deliver DNS queries which is why EDNS(0) was provided as an Extension to DNS (Version 0) - to allow for UDP packets larger than 512 (up to 4096?). The "Kaminsky Attack" (or compromise) should have been a good reason for everyone using BIND to upgrade to a version of BIND that supports EDNS(0) - yet in /var/log/messages, I still get loads of:- named[4027]: success resolving 'hub.linksdelmundo.com/AAAA' (in 'linksdelmundo.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Anyway, consider your configuration broken (or incomplete) if you can not answer DNS queries on both UDP and TCP. -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
