MoinQ:


../UDP

1. DNS/TCP

TCPサポートは必須になっています。(現実は追いついていないが。)

/nhk.or.jp akamai DNS の TCP

実装に対する要請ですか。(運用は別ですか?) /google

RFC 5966 : DNS Transport over TCP - Implementation Requirements http://tools.ietf.org/html/rfc5966

This document therefore updates the core DNS protocol specifications
such that support for TCP is henceforth a REQUIRED part of a full DNS
protocol implementation.

プロトコルを実装するときにはTCPを使えるようにしなければならない。

/Introduction

At the time of writing, the vast majority of Top Level Domain (TLD)
   authority servers and all of the root name servers support TCP and
   the author knows of no evidence to suggest that TCP-based DoS attacks
   against existing DNS infrastructure are commonplace.

TCPで問い合わせすれば、UDPを使っていることの危険性(キャッシュ毒入れ)は避けられます。 DNS/tcp/qmail.jp

Operators of recursive servers should ensure that they only accept
   connections from expected clients, and do not accept them from
   unknown sources.  In the case of UDP traffic, this will help protect
   against reflector attacks [RFC5358] and in the case of TCP traffic it
   will prevent an unknown client from exhausting the server's limits on
   the number of concurrent connections.

TCPが使えるなら、EDNS0を使う理由はなにか。


http://bridge.grumpy-troll.org/2011/02/dns-dont-implement-edns0-to-bypass.html

I can see a horrible scenario
where such setups use EDNS0 to indicate a capability for larger packet sizes but keep TCP turned off.
As long as responses fit within the raised limit, this appears to work: they get all the data.
But as soon as truncation happens anyway, 
they are suddenly left with *no* data and no ability to resolve even a subset of the information.

EDNS0 が使えるとしても、いずれはTCPが必要となる。その時に、...

The moral of this story: if you implement EDNS0, you MUST implement TCP fallback too. 

http://www.wdic.org/w/WDIC/DNS%E3%83%97%E3%83%AD%E3%83%88%E3%82%B3%E3%83%AB

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve

Allow Both TCP and UDP Port 53 to Your DNS Servers
DNS queries are getting bigger so we do not want to accidentally block them
By Scott Hogg on Sun, 08/22/10 - 7:44pm. 

https://lists.isc.org/pipermail/bind-users/2010-December/082104.html

http://internet.watch.impress.co.jp/docs/event/janog26/20100714_380523.html

./dnscacheをTCP専用化

http://serverfault.com/questions/480516/tcp-upstream-in-unbound-doesnt-work-use-tcp-for-query-upstream-dns-servers-rea