On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: <some cut> > Could a kind soul who runs DNS for living point me to the documentation > which I can use to educate myself. > > > Most Kind Regards, > Predrag Punosevac
Yes it does need TCP. It's part of the protocol since RFC 1035. For example ANY queries can get very large and are often used for DDoS Amplification, so what DNS designers did usually was write an empty reply with the TC flag (truncate), in effect forcing a TCP requery. Blocking DNS TCP these days is akin to putting a random block on some protocol, things will break. Don't do it. There is probably endless debates around EDNS0 and fragmentation of UDP and queries larger than 512 bytes which occur naturally often with DNSSEC turned on. DNS without DNSSEC is unthinkable, you want the integrity protection it offers. Also I think there was a DNS Flag day this year covering TCP. I think there is a consensus around keeping UDP queries under 1280 bytes or something and forcing anything above that to TCP (probably with the TC method). You'll see TCP taking a bigger role also because the days of RAM limitations are over in systems, TCP DNS which requires a large TCB for example for internal state keeping has a lot of RAM to resort to. Also we we have yet to see a TLS capability for authoritative servers in the RFC's, once that is done you'll likely see plain TCP taking a backseat too. Hope that helps, BTW my authoritative DNS server that I write is at https://delphinusdns.org. Regards, -peter
