> People have said that they block all UDP packets bar those from and to
> port 53 (the port assigned to DNS and used by nameservers).
> Isn't there some motivation here to try to get a universal block on UDP
> and move the DNS requests to be handled by TCP connects ? BIND 4.8.3
> supports it (RES_USEVC in resolv.h) and it is assigned:
What about other UDP based services, like NTP (Network Time Protocol)?
It seems that disabling a complete class of network transport is a bit
> so why not ? Are DNS transactions light weight enough to make requiring
> TCP an overkill ? What if the TCP connection were kept open during the
> life of the namesrver rather than on a per-request basis ?
It would greatly increase the amount of traffic and time to perform a
simple query, as well as increase the resource useage on both the
"client" machine and the name server. It is impractical to just keep
a connection open to "the" name server.
Some root name servers, for instance, will refuse to accept TCP
connections for queries because of the additional overhead. For
example, the root name server which we run at the University of
Maryland processes on the order of 5 queries per second, averaged over
Louis A. Mamakos
University of Maryland, College Park
DNS over TCP
From: avalon @
au (Darren Reed)