Re: Does DNS need TCP?
On 2020-09-21, Predrag Punosevac wrote: > As of the port blocking unfortunately I am old enough to remember this > post > > http://cr.yp.to/djbdns/tcp.html#why > > and the remark that TCP is only needed for records larger than 512 > bytes. > > "You want to publish record sets larger than 512 bytes. (This is almost > always a mistake.)" > > I had no need for TCP port 53 to be open. Until month and a half ago > things worked as expected and I have more important things to do than to > fix things which don't appear to be broken. DNS is fairly resilient so it can often "work" in a degraded fashion with the only noticeable problem being some slowness, but relying on this means that when things are a bit more broken or the situation changes it will be unusable. Even in cases where there are no large record sets, it is common for modern authoritative servers to employ RRL (response rate limiting) for UDP queries. One common method involves replying with a short response with the TC flag set (truncated, querier should retry over TCP) when they receive high request volumes from a particular source network (often spoofed, using the authoritative server as a "packet amplifier" - small queries generate a larger response directed at the spoofed address). The handshake needed for establishing a TCP connection makes it hard to spoof the source address of a query (trivial for UDP) allowing legitimate connections to make it through while not acting as a reliable packet amplifier. > The following > > https://www.openbsd.org/faq/pf/ > > is also evolving. Honestly it hasn't had a thorough refresh/review since before PF syntax changed to nat-to over 10 years ago, it's only had iterative changes since then - it will get you up and running but imho it's not a great basis for writing a maintainable and well-performing ruleset using current features. Tagging is only mentioned in "advanced configuration", received-on isn't shown at all, no use of interface groups (those three I'd consider pretty basic use), nothing about priority or queues or flow queues (I guess these are a bit more advanced but I'd consider essential for both setups with low line capacity, and larger scale setups where you have high speed ports feeding lower speed lines - either NNIs with leased line carriers or where you're controlling flows into radio links of say a hundred Mb from a gigabit port etc).
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 10:17:47PM -0400, Predrag Punosevac wrote: > Nicolai wrote : > > > On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > > > For number of years I had in my /var/unbound/etc/unbound.conf line > > > > > > do-tcp: no > > > > > To make things worse I was blocking port TCP port 53. > > > > Just curious, why did you do that? > > When I start using Unbound on OpenBSD it was not the part of the base. > There was not such a thing as the default unbound.conf file. I vividly > remember reading NLnet Labs Documentation three full days before > deciding on my defaults. Even once Unbound became the part of the base, > (IIRC 5.7) the defaults were not carved in stone. They changed quite a > bit over the time. unbound itslef has tcp switched on by default. > > As of the port blocking unfortunately I am old enough to remember this > post > > http://cr.yp.to/djbdns/tcp.html#why > > and the remark that TCP is only needed for records larger than 512 > bytes. > > "You want to publish record sets larger than 512 bytes. (This is almost > always a mistake.)" > > I had no need for TCP port 53 to be open. Until month and a half ago > things worked as expected and I have more important things to do than to > fix things which don't appear to be broken. He's talking about publishing here. You are talking abbout resolving. You do not have control about what sizes of record sets other are publishing. djb is both respected and an outlier. Never take his opinion for granted without consulting other sources. Just one example: dig +dnssec akamai.com txt > > The following > > https://www.openbsd.org/faq/pf/ > > is also evolving. It has been almost 15 years since the OpenBSD became > my daily driver and I would swear (but I am not going to look through > Internet archive) that there was a time when UDP port 53 was the only > open domain service in the minimal working example. I think if you look at the CVS history of the default pf.conf you'll see that outgoing traffic was never blocked by default. -Otto > > > > > > On my authoritative servers roughly 1 in 1000 queries are over TCP, even > > though no answers are over 512 bytes. Like most people, I don't use > > DNSSEC, and unlike most people, I do use DNSCurve. > > > > I try to stay away from a universal quantification (a professional > deformation). I do use DNSSEC more or less since it became available. I > used it before the time it became default in unbound.conf file of > OpenBSD. That is an example of the OpenBSD unbound.conf default which > actually changed not so long time ago. > > > > > I've seen "in the wild" authoritative servers that always set TC=1 but > > that's exceedingly rare and a bad idea for general use. > > > > If you block 53/udp then your life will change for the worse a LOT > > faster than if you merely block 53/tcp, but both are used, and both > > should be allowed. Blocking either will lead to downtime. > > > > If you don't understand the defaults then leave them be. Put your > > energy into fixing things that are visibly broken. > > > > That is exactly the reason that I kept 53/tcp closed past it useful > shelf life. I actually have more interesting things to do than fixing > the stuff which are only marginally important for my life. > > > > > > Just a related PSA: please don't block ICMP either. It's important, > > necessary, and good. > > I am not blocking and I have never blocked it although I do have some > restrictions in place since I read the first edition of the book of PF. > As you know the book is overdue for 4th edition. As you see the only > constant in life is change. > > > Cheers, > Predrag > > > > > Nicolai >
Re: Does DNS need TCP?
Nicolai wrote : > On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > For number of years I had in my /var/unbound/etc/unbound.conf line > > > > do-tcp: no > > > To make things worse I was blocking port TCP port 53. > > Just curious, why did you do that? When I start using Unbound on OpenBSD it was not the part of the base. There was not such a thing as the default unbound.conf file. I vividly remember reading NLnet Labs Documentation three full days before deciding on my defaults. Even once Unbound became the part of the base, (IIRC 5.7) the defaults were not carved in stone. They changed quite a bit over the time. As of the port blocking unfortunately I am old enough to remember this post http://cr.yp.to/djbdns/tcp.html#why and the remark that TCP is only needed for records larger than 512 bytes. "You want to publish record sets larger than 512 bytes. (This is almost always a mistake.)" I had no need for TCP port 53 to be open. Until month and a half ago things worked as expected and I have more important things to do than to fix things which don't appear to be broken. The following https://www.openbsd.org/faq/pf/ is also evolving. It has been almost 15 years since the OpenBSD became my daily driver and I would swear (but I am not going to look through Internet archive) that there was a time when UDP port 53 was the only open domain service in the minimal working example. > > On my authoritative servers roughly 1 in 1000 queries are over TCP, even > though no answers are over 512 bytes. Like most people, I don't use > DNSSEC, and unlike most people, I do use DNSCurve. > I try to stay away from a universal quantification (a professional deformation). I do use DNSSEC more or less since it became available. I used it before the time it became default in unbound.conf file of OpenBSD. That is an example of the OpenBSD unbound.conf default which actually changed not so long time ago. > I've seen "in the wild" authoritative servers that always set TC=1 but > that's exceedingly rare and a bad idea for general use. > > If you block 53/udp then your life will change for the worse a LOT > faster than if you merely block 53/tcp, but both are used, and both > should be allowed. Blocking either will lead to downtime. > > If you don't understand the defaults then leave them be. Put your > energy into fixing things that are visibly broken. > That is exactly the reason that I kept 53/tcp closed past it useful shelf life. I actually have more interesting things to do than fixing the stuff which are only marginally important for my life. > > Just a related PSA: please don't block ICMP either. It's important, > necessary, and good. I am not blocking and I have never blocked it although I do have some restrictions in place since I read the first edition of the book of PF. As you know the book is overdue for 4th edition. As you see the only constant in life is change. Cheers, Predrag > > Nicolai
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no > To make things worse I was blocking port TCP port 53. Just curious, why did you do that? On my authoritative servers roughly 1 in 1000 queries are over TCP, even though no answers are over 512 bytes. Like most people, I don't use DNSSEC, and unlike most people, I do use DNSCurve. I've seen "in the wild" authoritative servers that always set TC=1 but that's exceedingly rare and a bad idea for general use. If you block 53/udp then your life will change for the worse a LOT faster than if you merely block 53/tcp, but both are used, and both should be allowed. Blocking either will lead to downtime. If you don't understand the defaults then leave them be. Put your energy into fixing things that are visibly broken. Just a related PSA: please don't block ICMP either. It's important, necessary, and good. Nicolai
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > Hi Misc, > > I have been a double as a system admin for our small university research > group for a number of years now but every now and then I get reminded of > my own ignorance. One of those moments happened a month and a half ago > when pkg management tools stopped working on all my FreeBSD file servers > and jail hosts. After waisting an hour, I got to the bottom of my > problem. Namely, my caching DNS Unbound resolvers (obviously running of > OpenBSD) which also serve my LAN and DMZ authoritatively could no longer > resolve > > pkg.freebsd.org. > > After waisting another hour it became clear that authoritative DNS for > pkg.freebsd.org no longer was serving using UDP protocol and was > expecting my DNS resolver to use TCP instead of UDP for name queries. > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no > > even though I was aware that OpenBSD 6.7 is shipped with > > do-tcp: yes > > To make things worse I was blocking port TCP port 53. > > I am not much of a DNS expert but I was under impression that TCP was > only used for publishing record sets larger than 512 bytes. However, it > appears that I am mistaken. > > https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp > > That is not just a random garbage thread. The person whose answer was > accepted claims to be the author of RFC 5966. There is another > interesting post getting a lot of thumbs downs who is bringing back some > of old fights started by Daniel Bernstein. > > There is a second less illuminating thread > > https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp > > According to above threads it appears that DNSSEC validation requires > TCP port 53 and do-tcp: yes to work properly. > > Could a kind soul who runs DNS for living point me to the documentation > which I can use to educate myself. https://tools.ietf.org/html/rfc7766 says it all. The TCP requirement is related to DNSSEC because DNSSEC makes the DNS replies bigger, but the custom of dumping more and more into TXT records is another reason. The recommendation to use an UDP buffer size of 1232 to avoid big UDP packets and thus IP fragmentation also makes TCP fallback needed more often. See https://dnsflagday.net/2020/ For all practical purposes, setting up DNS without TCP is broken. -Otto
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > Could a kind soul who runs DNS for living point me to the documentation > which I can use to educate myself. > > > Most Kind Regards, > Predrag Punosevac Yes it does need TCP. It's part of the protocol since RFC 1035. For example ANY queries can get very large and are often used for DDoS Amplification, so what DNS designers did usually was write an empty reply with the TC flag (truncate), in effect forcing a TCP requery. Blocking DNS TCP these days is akin to putting a random block on some protocol, things will break. Don't do it. There is probably endless debates around EDNS0 and fragmentation of UDP and queries larger than 512 bytes which occur naturally often with DNSSEC turned on. DNS without DNSSEC is unthinkable, you want the integrity protection it offers. Also I think there was a DNS Flag day this year covering TCP. I think there is a consensus around keeping UDP queries under 1280 bytes or something and forcing anything above that to TCP (probably with the TC method). You'll see TCP taking a bigger role also because the days of RAM limitations are over in systems, TCP DNS which requires a large TCB for example for internal state keeping has a lot of RAM to resort to. Also we we have yet to see a TLS capability for authoritative servers in the RFC's, once that is done you'll likely see plain TCP taking a backseat too. Hope that helps, BTW my authoritative DNS server that I write is at https://delphinusdns.org. Regards, -peter
Does DNS need TCP?
Hi Misc, I have been a double as a system admin for our small university research group for a number of years now but every now and then I get reminded of my own ignorance. One of those moments happened a month and a half ago when pkg management tools stopped working on all my FreeBSD file servers and jail hosts. After waisting an hour, I got to the bottom of my problem. Namely, my caching DNS Unbound resolvers (obviously running of OpenBSD) which also serve my LAN and DMZ authoritatively could no longer resolve pkg.freebsd.org. After waisting another hour it became clear that authoritative DNS for pkg.freebsd.org no longer was serving using UDP protocol and was expecting my DNS resolver to use TCP instead of UDP for name queries. For number of years I had in my /var/unbound/etc/unbound.conf line do-tcp: no even though I was aware that OpenBSD 6.7 is shipped with do-tcp: yes To make things worse I was blocking port TCP port 53. I am not much of a DNS expert but I was under impression that TCP was only used for publishing record sets larger than 512 bytes. However, it appears that I am mistaken. https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp That is not just a random garbage thread. The person whose answer was accepted claims to be the author of RFC 5966. There is another interesting post getting a lot of thumbs downs who is bringing back some of old fights started by Daniel Bernstein. There is a second less illuminating thread https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp According to above threads it appears that DNSSEC validation requires TCP port 53 and do-tcp: yes to work properly. Could a kind soul who runs DNS for living point me to the documentation which I can use to educate myself. Most Kind Regards, Predrag Punosevac
