Today I've been playing with some options in unbound.conf just for fun. I've enabled tcp-upstream but it doesn't work with some domains.
OS: OpenBSD current. Unbound: 1.4.19
Examples with tcp-upstream enabled:
--> dig www.google.com
; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30362
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 43200 IN A 173.194.34.210
www.google.com. 43200 IN A 173.194.34.212
www.google.com. 43200 IN A 173.194.34.211
www.google.com. 43200 IN A 173.194.34.209
www.google.com. 43200 IN A 173.194.34.208
;; Query time: 579 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:01:54 2013
;; MSG SIZE rcvd: 112
--> dig www.facebook.com
; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48116
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com. IN A
;; Query time: 4529 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:02:05 2013
;; MSG SIZE rcvd: 34
/var/log/messages
shows this error for the facebook query:
unbound: [29654:0] error: tcp connect: Connection refused
With tcp-upstream disabled:
--> dig www.facebook.com
; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com. IN A
;; ANSWER SECTION:
www.facebook.com. 43200 IN CNAME star.c10r.facebook.com.
star.c10r.facebook.com. 43200 IN A 173.252.101.26
;; Query time: 692 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:06:20 2013
;; MSG SIZE rcvd: 74
I guess the problem is some servers don't permit tcp clients. Some
workaround for this issue? Is it tcp-upstream really usable in real world?.
I know UDP is a better protocol for DNS. I don't need answer like "use UDP instead". I'm only asking about of this problem with DNS over TCP and if this is reliable in the real world.
Best Answer
DNS works with small messages and responses most of the time (just do a spattering of random queries and think about the space needed for a compact representation of the query and the response). For this use UDP is ideal (no connection setup/teardown costs). Some queries have bulky answers (for instance, look at the output of
nslookup -query=any google.com
), which don't fit into a minimal UDP datagram. Those are asked and answered over TCP.