DNS also uses TCP
Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.
When configuring your firewall, please remember that the Domain Name Service (DNS) protocol does not use only the User Datagram Protocol (UDP) but also falls back to using the Transmission Control Protocol (TCP) for queries where the answer is over 512 bytes.
If a DNS server receives a query that has an answer that is over 512 bytes in size, the DNS server asks the requestor to resend the request over TCP. This is because of the size and reliability limitations of the UDP protocol.
We have had problems with a few recipient e-mail servers hanging when one of our outgoing filtering e-mail servers would connect to it. One significantly unique thing about our outgoing filters is that the DNS A record for it’s hostname is well over 512 bytes. I always suspected that perhaps the recipient e-mail servers were looking up our hostname, but were both behind a firewall that didn’t allow DNS connections over TCP and also failed to timeout the DNS record lookup.
It was just a hunch that I had, but few recipients were willing to work with us to determine the problem, until about two weeks ago. One of our clients was trying to send e-mail to a company, and the company’s e-mail server was hanging before even sending a greeting. After notifying our customer of what was occuring, our customer contacted the network administrator at the company to ask that they work with us to resolve the issue. After the network administrator failed to find a problem, he called and blamed the problem on us. We had two SpamStopsHere technical support personnel working with the network administrator for about an hour when the issue was escalated to me.
I was actually on my way out the door at the end of my shift, but I told my colleagues of my earlier theory and suggested that they have the network adminstrator try looking up the A record for our outgoing e-mail server from his e-mail server. I just listened in on the conversation long enough to hear him say that the DNS lookup was timing out, as I instantly knew that my theory was correct. I made sure that my colleagues understood my theory and then I left. Later, I was told that the network administrator, for a very large company, was indeed not allowing DNS queries over TCP. Oddly his defense wasn’t that he didn’t know that DNS also uses TCP, but rather that he was doing it for performance reasons.
Regardless of your reasons, if your firewall policy prohibits DNS queries over TCP, you will find that some things won’t work as expected, but only with a few specific sites. The problems may be so rare that you may even tend to blame the problems on the configuration or network of the sites that you can’t connect to. You may find that you are unable to e-mail Yahoo, if for example a lookup of the MX records for Yahoo results in a long answer such as:
yahoo.com. 7196 IN MX 1 a.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 b.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 c.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 d.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 e.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 f.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 g.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 h.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 i.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 j.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 k.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 l.mx.mail.yahoo.com.
yahoo.com. 7196 IN MX 1 m.mx.mail.yahoo.com.
In fact, what will be weird is that you will be unable to e-mail people with highly redundant systems, who have enough MX records to deal with a large enterprise level of traffic. Yet, you’ll have no problem e-mailing your uncle’s business that hosts its e-mail server on a cable modem.
This all goes back to my very first blog entry. If you’re going to do filtering, please at least be aware of what you’re filtering. We “problematic sites” will have hard enough time convincing you to unblock our traffic. We shouldn’t also have to convince you that are blocking our traffic.
Leave a Reply