0

Our organization's primary DNS server is a Windows Server 2008 which two Forwarders set. I happened to notice on our firewall that this server is sending out regular TCP requests to the Forwarders in addition to the standard UDP queries. I ran Wireshark on the server and noticed the rate varies but is around 2 packets per second. All the packets are nearly the same:

<server> <forwarder> TCP 62 55148 > domain [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

Occasionally the forwarder responds with a reset:

<forwarder> <server> TCP 60 domain > 55148 [RST, ACK] Seq=1 Ack=0 Win=0 Len=0

Is this normal, expected behavior or should I be concerned? I don't see our other DNS servers exhibiting this same behavior. This is our only Windows server that is sending some DNS packets via TCP.

Andrew S
  • 498
  • 3
  • 7
  • 12

1 Answers1

0

If you dig a little further into those packet captures, you'll probably find that these TCP requests follow a truncated UDP response of 512 bytes. Alternatively this could be an attempt to perform a zone transfer, but the fact that you said it was a forwarder makes me less inclined to believe this.

In the absence of working EDNS over UDP, it's common for DNS software to attempt a TCP retry in order to get the full packet. [SYN] followed by [RST, ACK] implies that the remote server is not listening on that port and returning a classic "connection refused".

If that is indeed what is happening, you'll need to find out why the remote server is rejecting TCP sessions. The impact of the DNS server being unable to obtain the full reply payload will depend entirely on what application is requesting it and how that data is used.

Andrew B
  • 31,858
  • 12
  • 90
  • 128