2009/03/26

Firewalls should not block DNS traffic over TCP port 53

Some firewalls explicitly allow blocking DNS traffic on TCP port 53. This is not a protective feature but rather it causes a lot of troubles. System administrators should allow DNS traffic to go through TCP. Take MX records of hotmail.com as an example. Currently, the byte length is 511. If Hotmail adds an additional mail servers, the return on MX records will exceed 512 bytes which can not be handled by UDP. The transaction will logically fall back to TCP.

There are other cases of transactions using TCP, mainly queries on nameservers of top level domains and country code top level domains. When IPv6 and DNSSEC are popular, a large part of DNS tarffic will ride on TCP.

No comments: