Выбрать язык


Выбрать язык | Show only


Русский | English


пятница, 22 апреля 2016 г.

Does DNS use TCP or UDP? RFC says...

Usually we mean DNS uses UDP port 53 but TCP port 53 is reserved for DNS too.
After some time the one question may become interesting for any specialist working with information technologies or information security:

When does DNS use UDP or TCP?

Answer is provided by  RFC5966, section 4. Transport Protocol Selection, where you may find such statements:
Most DNS [RFC1034] transactions take place over UDP [RFC0768].  TCP
[RFC0793] is always used for zone transfers and is often used for
messages whose sizes exceed the DNS protocol's original 512-byte
limit.
So, every request except zone transfer (query type AXFR) and the large message (more than 512 bytes) containing one is processed by UDP.
One can ask: "Why AXFR and large messages must use TCP?". The reason is ability to use UDP-based services with large responses for DDoS-attacks.
All general-purpose DNS implementations MUST support both UDP and TCP
transport.
It means that each DNS-server implementation must support both transport protocols.


Some more particular cases are described in the RFC5966 too:
Authoritative server implementations MUST support TCP so that they
do not limit the size of responses to what fits in a single UDP
packet.
So, authoritative server holds zone must support TCP. For zone transfer purposes at least.
Recursive server (or forwarder) implementations MUST support TCP
so that they do not prevent large responses from a TCP-capable
server from reaching its TCP-capable clients.
Recursive server must support TCP to have an ability to forward large response received by TCP to client using the same TCP protocol for source IP spoofing prevention.
Stub resolver implementations (e.g., an operating system's DNS
resolution library) MUST support TCP since to do otherwise would
limit their interoperability with their own clients and with
upstream servers. 
Stub resolver is a small and stupid recursive server used for minimal clients quantity serving. For example it is a SOHO router. It serves some client devices and forwards their requests to upper servers.
Stub resolver implementations MAY omit support for TCP when
specifically designed for deployment in restricted environments where
truncation can never occur or where truncated DNS responses are
acceptable.
One can see that RFC gives some indulgence for SOHO devices vendors to decrease its' load in the environment where large DNS responses are unbelievable or harmless.

And as a finale we can see protocols usage sequence:
A resolver SHOULD send a UDP
query first, but MAY elect to send a TCP query instead if it has good
reason to expect the response would be truncated if it were sent over
UDP (with or without EDNS0) or for other operational reasons, in
particular, if it already has an open TCP connection to the server.
So, (small and stupid) recursive server must try to use UDP for DNS-request but in the case of high truncated response possibility or if the TCP session exists (e.g. serving another request) it may use TCP.

Комментариев нет:

Отправить комментарий