49

Possible Duplicate:
Is it true that a nameserver have to answer queries over TCP?

I know DNS uses UDP for most of its queries, but in what circumstances will it use TCP instead?

Community
  • 1
pradeepchhetri
  • 2,518
  • 6
  • 33
  • 45
  • 2
    The [se] sites **are not forums**. They are Q&A sites. Please see the [FAQ]s for why that matters. The "closed as exact dupe" question isn't the same Question, but has the same answer, and Alnitak is pretty much a DNS demi-god. – Chris S Jul 04 '12 at 22:02

2 Answers2

46

DNS uses TCP when the size of the request or the response is greater than a single packet such as with responses that have many records or many IPv6 responses or most DNSSEC responses.

The maximum size was originally 512 bytes but there is an extension to the DNS protocol that allows clients to indicate that they can handle UDP responses of up to 4096 bytes.

DNSSEC responses are usually larger than the maximum UDP size.

Transfer requests are usually larger than the maximum UDP size and hence will also be done over TCP.

Tomer
  • 113
  • 1
  • 6
Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • 8
    DNSSEC does not do any certificate negotiation! The resource records added for DNSSEC are no different than other resource records. DNSSEC works just fine over UDP and will only resort to TCP when the response is too large (compare `dig +dnssec @a.gtld-servers.net com. any` and `dig +dnssec @a.gtld-servers.net com. dnskey`) – Cakemox Jul 04 '12 at 21:59
  • Indeed, I stand corrected. That second query certainly did work just fine over UDP. I'll amend my answer. – Ladadadada Jul 04 '12 at 22:14
  • 1
    Are requests larger than 512 something that happens in practice, or is it merely a theoretical case? I can't think of a valid DNS request which wouldn't fit in 512 bytes. – kasperd May 16 '15 at 21:13
  • @kasperd ANY queries are notorious for producing large packets, which is why they're often used in DNS amplification attacks. With EDNS0, attackers try to send a small query that produces a response size just under the standard 4096 byte limit. – Zenexer Apr 27 '16 at 03:19
  • @Zenexer Amplification attacks exploit large **responses**. I was questioning whether large **requests** is something that actually happens. – kasperd Apr 27 '16 at 08:32
  • @kasperd Yes, theoretically. You can have requests that aren't meant to query, but instead perform some sort of administrative operation. You can also send multiple questions in one request. In practice, those don't happen often. If I recall correctly, BIND9 does use the former for administration, but it's complex, so a lot of people just modify the config/zone files and restart. You'd be more likely to see large requests with a medium-/large-scale DNS infrastructure running traditional software. – Zenexer Apr 27 '16 at 18:58
  • @Zenexer I did a couple of searches, and the results I found suggest that nobody supports multiple questions in a single request, and it is ambiguous how a server is supposed to respond to it. – kasperd Apr 27 '16 at 21:34
  • @kasperd Yeah, I've never tried anything like that. I've been denying requests with multiple questions ([BIND does this by default](http://stackoverflow.com/a/4083071/1188377)). The administrative stuff seems to be more common, but still not something average users would need. [Example using UPDATE opcode](http://linux.die.net/man/8/nsupdate) – Zenexer Apr 28 '16 at 04:33
  • What is an extension to the DNS to support more than 512 bytes ? – Vikram Mar 24 '17 at 19:50
  • 1
    [RFC 2671](https://tools.ietf.org/html/rfc2671) [See also Wikipedia](https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS) – Ladadadada Mar 26 '17 at 19:57
10

The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.

https://en.wikipedia.org/wiki/Domain_Name_System#DNS_transport_protocols

Max Alibaev
  • 107
  • 3
Jay
  • 6,439
  • 24
  • 34