DNS over TCP and DNS fragmentation
When allowing DNS queries via the firewall, it is not enough to only allow 53/udp. When a DNS reply exceed the size of an UDP datagram, it must be transmitted over TCP. The DNS clients will transparently retry any question over TCP if it gets a truncated reply. If 53/tcp blocked, the DNS query will fail.
Nowadays a new dimension to this problem has occurred. With the deployment of DNSsec the size of the maximum DNS UDP replies are increased from 512 to 4096 bytes. If, as commonly, using Ethernet and an MTU of 1500 bytes, this requires the receiver can handle IP fragmentation as well. If your firewall drops fragmented packets by default, this will result in the same problems as not accepting TCP.
$ nslookup www.megaupload.com ;; Truncated, retrying in TCP mode. ;; Connection to 172.19.7.1#53(172.19.7.1) for www.megaupload.com failed: connection refused.
Using a client like a web browser, this will only be displayed as an "Address not found" error and can easily be mistaken for wrong URL, the sites DNS servers down or other errors. Since the absolute majority of all DNS replies are small enough to fit in an UDP package this might take a while before detected.
Opening 53/tcp and it works like a charm:
$ nslookup www.megaupload.com ;; Truncated, retrying in TCP mode. Server: 172.19.7.1 Address: 172.19.7.1#53 Non-authoritative answer: Name: www.megaupload.com Address: 69.5.88.200 Name: www.megaupload.com Address: 69.5.88.202 Name: www.megaupload.com Address: 69.5.88.203 Name: www.megaupload.com Address: 69.5.88.204 Name: www.megaupload.com Address: 69.5.88.205 Name: www.megaupload.com Address: 69.5.88.206 Name: www.megaupload.com Address: 69.5.88.207 Name: www.megaupload.com Address: 69.5.88.208 Name: www.megaupload.com Address: 69.5.88.209 Name: www.megaupload.com Address: 69.5.88.210 Name: www.megaupload.com Address: 69.5.88.211 Name: www.megaupload.com Address: 69.5.88.212 Name: www.megaupload.com Address: 69.5.88.213 Name: www.megaupload.com Address: 69.5.88.214 Name: www.megaupload.com Address: 69.5.88.215 Name: www.megaupload.com Address: 69.5.88.216 Name: www.megaupload.com Address: 69.5.88.217 Name: www.megaupload.com Address: 69.5.88.218 Name: www.megaupload.com Address: 69.5.88.219 Name: www.megaupload.com Address: 69.5.88.220 Name: www.megaupload.com Address: 69.5.88.221 Name: www.megaupload.com Address: 69.5.88.223 Name: www.megaupload.com Address: 69.5.88.224
/By Mikael Q Kuisma