Today I've been playing with some options in unbound.conf just for fun. I've enabled tcp-upstream but it doesn't work with some domains.
OS: OpenBSD current. Unbound: 1.4.19
Examples with tcp-upstream enabled:
--> dig www.google.com
; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30362
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 43200 IN A 173.194.34.210
www.google.com. 43200 IN A 173.194.34.212
www.google.com. 43200 IN A 173.194.34.211
www.google.com. 43200 IN A 173.194.34.209
www.google.com. 43200 IN A 173.194.34.208
;; Query time: 579 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:01:54 2013
;; MSG SIZE rcvd: 112
--> dig www.facebook.com
; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48116
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com. IN A
;; Query time: 4529 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:02:05 2013
;; MSG SIZE rcvd: 34
/var/log/messages shows this error for the facebook query:
unbound: [29654:0] error: tcp connect: Connection refused
With tcp-upstream disabled:
--> dig www.facebook.com
; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com. IN A
;; ANSWER SECTION:
www.facebook.com. 43200 IN CNAME star.c10r.facebook.com.
star.c10r.facebook.com. 43200 IN A 173.252.101.26
;; Query time: 692 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:06:20 2013
;; MSG SIZE rcvd: 74
I guess the problem is some servers don't permit tcp clients. Some workaround for this issue? Is it tcp-upstream really usable in real world?.
I know UDP is a better protocol for DNS. I don't need answer like "use UDP instead". I'm only asking about of this problem with DNS over TCP and if this is reliable in the real world.
DNS works with small messages and responses most of the time (just do a spattering of random queries and think about the space needed for a compact representation of the query and the response). For this use UDP is ideal (no connection setup/teardown costs). Some queries have bulky answers (for instance, look at the output of
nslookup -query=any google.com), which don't fit into a minimal UDP datagram. Those are asked and answered over TCP.With the availability of EDNS (http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS) most DNS queries including IPv6 and DNSSEC can be answered using UDP. Hence many server providers do not allow incoming connections to TCP port 53. Use of TCP is usually restricted to zone transfers.
So if you are planning to create a recursive DNS server for local clients, it should be based on UDP as all servers support UDP, and most do not support TCP.
Check it out inside unbound documentation: