DNS requests switch from UDP to TCP

Hello everybody,

I have witnessed a strange behavior of my machine and would like
to understand what has been happening. The situation is as follows.
My machine, which is online 24/7, uses fwlogwatch to generate daily
reports about connection attempts. I use a switch that makes
fwlogwatch try to resolve IP addresses, so that it sends requests
to an exterior DNS server when preparing a report. Usually, these
requests use UDP. Still, I have seen several times it using TCP
for these queries. My question is: What can make a program use TCP
for DNS requests?

Thanks!

Mikhail



muxaul@lenta.ru

(E-Mail Removed) wrote:
> Hello everybody,
>
> I have witnessed a strange behavior of my machine and would like
> to understand what has been happening. The situation is as follows.
> My machine, which is online 24/7, uses fwlogwatch to generate daily
> reports about connection attempts. I use a switch that makes
> fwlogwatch try to resolve IP addresses, so that it sends requests
> to an exterior DNS server when preparing a report. Usually, these
> requests use UDP. Still, I have seen several times it using TCP
> for these queries. My question is: What can make a program use TCP
> for DNS requests?

When the packet is too big for UDP, DNS automatically switch to TCP for
that request.

"Trygve Selmer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> When the packet is too big for UDP, DNS automatically switch to TCP for
> that request.

Some smart programs also switch to UDP if they are seeing packet loss
issues. TCP is much better than UDP at dealing with this.

DS

Thank you for the reply. I would like to clarify it if possible.
Do you mean that this is the machine that sends a DNS
request `decides' whether to use UDP or TCP? The point
is that this was _my_ machine, not the DNS server that
was switching UDP to TCP.

(E-Mail Removed) wrote:
> Thank you for the reply. I would like to clarify it if possible.
> Do you mean that this is the machine that sends a DNS
> request `decides' whether to use UDP or TCP? The point
> is that this was _my_ machine, not the DNS server that
> was switching UDP to TCP.

Normally your machine sends an UDP request to the server, and you get an
UDP response back. If the response is too big to fit into one UDP
packet, the server will return an indication of this. The client (your
machine) then retries the request, this time using TCP.

Trygve Selmer wrote:
> (E-Mail Removed) wrote:
> > Thank you for the reply. I would like to clarify it if possible.
> > Do you mean that this is the machine that sends a DNS
> > request `decides' whether to use UDP or TCP? The point
> > is that this was _my_ machine, not the DNS server that
> > was switching UDP to TCP.
>
> Normally your machine sends an UDP request to the server, and you get
an
> UDP response back. If the response is too big to fit into one UDP
> packet, the server will return an indication of this. The client
(your
> machine) then retries the request, this time using TCP.

Oh, thanks! I've got it.

Still, there seems to be an issue related to firewalling.
AFAIK, a common practice of protecting DNS servers is to
accept UDP requests from anyone but accept TCP requests
from a limited number of `upper-level' DNS servers only
(those that really need to transfer your zone). For all
other clients, TCP queries are prohibited. Thus, there
seems to be a collision between firewall rules and the
protocol suggested by the DNS server itself.

Mikhail

(E-Mail Removed) wrote:
> Trygve Selmer wrote:
>
>>(E-Mail Removed) wrote:
>>
>>>Thank you for the reply. I would like to clarify it if possible.
>>>Do you mean that this is the machine that sends a DNS
>>>request `decides' whether to use UDP or TCP? The point
>>>is that this was _my_ machine, not the DNS server that
>>>was switching UDP to TCP.
>>
>>Normally your machine sends an UDP request to the server, and you
>>get an UDP response back. If the response is too big to fit into
>>one UDP packet, the server will return an indication of this. The
>>client (your machine) then retries the request, this time using TCP.
>
> Oh, thanks! I've got it.
>
> Still, there seems to be an issue related to firewalling.
> AFAIK, a common practice of protecting DNS servers is to
> accept UDP requests from anyone but accept TCP requests
> from a limited number of `upper-level' DNS servers only
> (those that really need to transfer your zone). For all
> other clients, TCP queries are prohibited. Thus, there
> seems to be a collision between firewall rules and the
> protocol suggested by the DNS server itself.

On an official server, you normally use tcp-ports other than 53 to
transfer zones between trusted servers. Port 53 (udp and tcp) normally
are reserved for client requests and prohibits zone transfers. And if
the zone is set up correctly, there should not be any need for tcp
requests/responses :-)

I will recommend the book "DNS and BIND" 4th edition from O'Reilly.

(E-Mail Removed) wrote:
> Still, there seems to be an issue related to firewalling. AFAIK, a
> common practice of protecting DNS servers is to accept UDP requests
> from anyone but accept TCP requests from a limited number of
> `upper-level' DNS servers only (those that really need to transfer
> your zone). For all other clients, TCP queries are prohibited.
> Thus, there seems to be a collision between firewall rules and the
> protocol suggested by the DNS server itself.

That would not be the first time firewalls have caused trouble.

rick jones
--
Wisdom Teeth are impacted, people are affected by the effects of events.
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to raj in cup.hp.com but NOT BOTH...

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...

> Still, there seems to be an issue related to firewalling.
> AFAIK, a common practice of protecting DNS servers is to
> accept UDP requests from anyone but accept TCP requests
> from a limited number of `upper-level' DNS servers only
> (those that really need to transfer your zone).

DNS servers are required to support TCP client queries. This "common
practice" is as broken as using path MTU discovery and filtering all ICMP.

> For all
> other clients, TCP queries are prohibited. Thus, there
> seems to be a collision between firewall rules and the
> protocol suggested by the DNS server itself.

Not everyone who configures a firewall knows what the hell they're
doing.

DS

David Schwartz wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > Still, there seems to be an issue related to firewalling.
> > AFAIK, a common practice of protecting DNS servers is to
> > accept UDP requests from anyone but accept TCP requests
> > from a limited number of `upper-level' DNS servers only
> > (those that really need to transfer your zone).
>
> DNS servers are required to support TCP client queries. This "common
> practice" is as broken as using path MTU discovery and filtering all
ICMP.

Thank you for the reply, David. Still, I am afraid not everyone will
agree with you. At least, there are guys at comp.os.linux.security
who seem to share what I have called `a common practice'.

> > For all
> > other clients, TCP queries are prohibited. Thus, there
> > seems to be a collision between firewall rules and the
> > protocol suggested by the DNS server itself.
>
> Not everyone who configures a firewall knows what the hell they're
> doing.

Sure thing. ;-)


Mikhail