Is it true that a nameserver have to answer queries over TCP?

domain-name-system nameserver

I'm the process of setting up a monitoring of DNS servers of several large web hosts. My goal is to compare their dns servers response times by tracking their response to ping.

In the process, I discovered that Bluehost nameservers do not respond to ping. I tried to get more information by running Pingdom DNS Check on bluehost.com and it produced the following error:

Name server ns1.bluehost.com (74.220.195.31) does not answer queries over TCP.

The name server failed to answer queries sent over TCP. This is probably due to the name server not correctly set up or due to misconfgured filtering in a firewall. It is a rather common misconception that DNS does not need TCP unless they provide zone transfers - perhaps the name server administrator is not aware that TCP usually is a requirement.

I would like to know the following:

  • To what extent is the above statement true?
  • What are the implications of a nameserver not answering queries over TCP?

Solution 1:

The diagnostic text from Pingdom is exactly correct. TCP is not just for zone transfers.

DNS server implementations are now "required" (in so much as any RFC requires anything) to support TCP, per RFC 5966, "DNS Transport over TCP - Implementation Requirements".

Note that this is a requirement on the server software implementation, it does not strictly apply to the operation of any server - operational practice is not covered.

That said, if your particular DNS servers are not configured to support TCP, or if it is blocked, then the longer term effect will be an inability to support DNSSEC correctly. Similarly any other DNS data which causes responses to exceed 512 bytes might be blocked.

ob disclaimer: I wrote that RFC.

EDIT RFC 5966 has now been replaced by RFC 7766

Solution 2:

it should support TCP and UDP - the TCP is for responses sizes >512 bytes (which would include zone transfers) (according to stuff I've read, anyway. I usually enable TCP and UDP for the NS's I run...)

Related

Authentication Order with SSH
Functional implications of differences in SSL and TLS
What options can be put into a SSH authorized_keys file?
Windows Server 2008 R2 network adapter stops working, requires hard reboot
How to use Active Directory to authenticate linux users
How to recover logical volume deleted with lvremove
Difference beetween DNAT and REDIRECT in IPTABLES
Iptables - Bridge and Forward chain
How to create a multi-domain self-signed certificate for Apache2?
Complete restore of linux system
"In order to...", "To..." or "For..."
What are the historical reasons for the conventional sequence of footnote symbols?