Pascal Hambourg <pas...@plouf.fr.eu.org> wrote: > Le 29/12/2017 à 18:27, Andrew W a écrit : >> >> On 27/12/2017 13:18, Bernhard Schmidt wrote: >>> Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large >>> packets. You might have an issue with UDP fragments being dropped at >>> your firewall/NAT Gateway? >>> >> Thanks for this tip. Looking into it I discovered TCP seems to be >> recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a >> problem! > > AFAIK TCP is just a fall-back transport to work around UDP packet size > issues. Compared to UDP, TCP transport for DNS wastes system and network > resources.
Yes and no. For a single query, UDP is indeed more efficient. You can have long-standing TCP connections though (multiple queries through the same TCP channel, sometimes used between Client and Resolver, optionally with TLS), UDP > 1400 Bytes (Fragments) is often blocked by Firewalls or misconfigured links, and due to the possibility of spoofing in UDP (reflexive DDoS) some authoritative servers force clients to use TCP (i.e. RRL or DNS COOKIE). IOW, if you block TCP outbound for your resolver, you are asking for trouble. Bernhard
