In message <c3de0a330905280804t56ca87dapd94281399202...@mail.gmail.com>, Bobby
Mac writes:
> Not entirely on subject but.... I thought that allowing DNS queries to
> occur via TCP is mission critical for simple mail routing. We ran across
> this back in the day at @Home Network. Firewall rules were changed to not
> allow port 53 TCP. This severely affected sending mail to large
> distribution lists. Here is what we found and forgive me if I don't go into
> too much detail as it was almost 10 years a go.
As I said, sites just don't do this as it causes serious
problems. Sites that disable TCP/53 outbound just end up
re-enabling it. Nameservers and stub resolvers automatically
retry with TCP and the client applications just don't get
answers returned when you start blocking TCP/53 outbound.
It doesn't take long for said stupidity to be reversed.
> If you add enough recipients to an email, each domain within the send line
> needs to have an associated MX record. DNS by default starts with UDP which
> has a limit to the datagram size (64bit). A flag is placed in the
> header which then requires the request to be sent via TCP (160bit V4). Now
> that single query can be split up into many different packets providing that
> the request is more than the 160 bit and obviously IPV6 offers even more
> information contained in a single packet.
The number of recipients has no impact on the size of the
DNS responses. It will have a impact on the number of DNS
queries made iff the receipents are in multiple mail domains.
Mark
> -BobbyJim
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
