[sdnog] DNS Queries
Nishal Goburdhan
nishal at controlfreak.co.za
Wed Aug 24 12:25:33 SAST 2016
On 22 Aug 2016, at 14:40, Sahlih Shihab wrote:
> Hi all
>
> I think the DNS use TCP in transaction between dns-master and
> dns-salve to update the zones in dns-slave, am I right?
> Thanks
yes, TCP is used for zone transfers by default.
but TCP is also used when a DNS server can not fit a reply into a single
packet.
or when a server is asked to reply using TCP (say during
trouble-shooting .. erm..i mean debugging)
so, DNS uses *both* UDP and TCP, although, as philip has already said,
the default is to use UDP for queries/answers.
the short of it, is that you should *NOT* block either TCP or UDP 53;
doing either will break your DNS.
there are a lot of other things you should pay attention to:
* don’t put your DNS servers behind a stateful firewall; since most
DNS replies/queries are stateless, a stateful firewall in front of your
DNS server, is just adding another point of failure in the path of the
network. instead, make sure your DNS server is secure, and doesn’t
run anything other than DNS (and ssh for management, of course). this
might seem counter-intuitive to those of you that think that everything
should be firewall, but, really, stateful firewalls don’t add value to
DNS.
* do NOT limit packet sizes to 512; this *will* break things.
* do NOT EVER use load-balancers for DNS; use anycast. it’s not
difficult - see SdNOG-1 for a talk on how to do this.
* if you are setting up a recursive DNS server, make sure to limit who
can use this, to just your clients’ networks.
* if you are setting up an authoritative DNS server, make sure you use
DNS RRLs (response rate-limiting).
i’m likely forgetting other best practices, but i’m sure others can
chip in.
—n.
More information about the sdnog
mailing list