Networking »

Dns Tcp

When allowing DNS queries via the firewall, it is not enough to only allow 53/udp. When a DNS reply exceed the size of an UDP datagram, it must be transmitted over TCP. The DNS clients will transparently retry any question over TCP if it gets a truncated reply. If 53/tcp blocked, the DNS query will fail:

$ nslookup www.megaupload.com
;; Truncated, retrying in TCP mode.
;; Connection to 172.19.7.1#53(172.19.7.1) for www.megaupload.com failed: connection refused.

Using a client like a web browser, this will only be displayed as an "Address not found" error and can easily be mistaken for wrong URL, the sites DNS servers down or other errors. Since the absolute majority of all DNS replies are small enough to fit in an UDP package this might take a while before detected.

Opening 53/tcp and it works like a charm:

$ nslookup www.megaupload.com
;; Truncated, retrying in TCP mode.
Server:		172.19.7.1
Address:	172.19.7.1#53

Non-authoritative answer:
Name:	www.megaupload.com
Address: 69.5.88.200
Name:	www.megaupload.com
Address: 69.5.88.202
Name:	www.megaupload.com
Address: 69.5.88.203
Name:	www.megaupload.com
Address: 69.5.88.204
Name:	www.megaupload.com
Address: 69.5.88.205
Name:	www.megaupload.com
Address: 69.5.88.206
Name:	www.megaupload.com
Address: 69.5.88.207
Name:	www.megaupload.com
Address: 69.5.88.208
Name:	www.megaupload.com
Address: 69.5.88.209
Name:	www.megaupload.com
Address: 69.5.88.210
Name:	www.megaupload.com
Address: 69.5.88.211
Name:	www.megaupload.com
Address: 69.5.88.212
Name:	www.megaupload.com
Address: 69.5.88.213
Name:	www.megaupload.com
Address: 69.5.88.214
Name:	www.megaupload.com
Address: 69.5.88.215
Name:	www.megaupload.com
Address: 69.5.88.216
Name:	www.megaupload.com
Address: 69.5.88.217
Name:	www.megaupload.com
Address: 69.5.88.218
Name:	www.megaupload.com
Address: 69.5.88.219
Name:	www.megaupload.com
Address: 69.5.88.220
Name:	www.megaupload.com
Address: 69.5.88.221
Name:	www.megaupload.com
Address: 69.5.88.223
Name:	www.megaupload.com
Address: 69.5.88.224