Tcp-upstream in unbound doesn’t work. Use TCP for query upstream DNS servers really work in the real world

Today I've been playing with some options in unbound.conf just for fun. I've enabled tcp-upstream but it doesn't work with some domains.

OS: OpenBSD current. Unbound: 1.4.19

Examples with tcp-upstream enabled:

--> dig www.google.com  

; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30362
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         43200   IN      A       173.194.34.210
www.google.com.         43200   IN      A       173.194.34.212
www.google.com.         43200   IN      A       173.194.34.211
www.google.com.         43200   IN      A       173.194.34.209
www.google.com.         43200   IN      A       173.194.34.208

;; Query time: 579 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:01:54 2013
;; MSG SIZE  rcvd: 112

--> dig www.facebook.com  

; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48116
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; Query time: 4529 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:02:05 2013
;; MSG SIZE  rcvd: 34

/var/log/messages shows this error for the facebook query:

unbound: [29654:0] error: tcp connect: Connection refused

With tcp-upstream disabled:

--> dig www.facebook.com  

; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       43200   IN      CNAME   star.c10r.facebook.com.
star.c10r.facebook.com. 43200   IN      A       173.252.101.26

;; Query time: 692 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:06:20 2013
;; MSG SIZE  rcvd: 74

I guess the problem is some servers don't permit tcp clients. Some
workaround for this issue? Is it tcp-upstream really usable in real world?.

I know UDP is a better protocol for DNS. I don't need answer like "use UDP instead". I'm only asking about of this problem with DNS over TCP and if this is reliable in the real world.

Best Answer

DNS works with small messages and responses most of the time (just do a spattering of random queries and think about the space needed for a compact representation of the query and the response). For this use UDP is ideal (no connection setup/teardown costs). Some queries have bulky answers (for instance, look at the output of nslookup -query=any google.com), which don't fit into a minimal UDP datagram. Those are asked and answered over TCP.

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

CentOS BIND DNS Troubleshooting

Related Topic