## page was renamed from DNS/基礎知識/TCP ## page was renamed from DNS/用語/TCP ## page was renamed from DNS/TCP <> ---- [[../UDP]] == DNS/TCP == TCPサポートは必須になっています。(現実は追いついていないが。) [[/nhk.or.jp]] akamai DNS の TCP 実装に対する要請ですか。(運用は別ですか?) [[/google]] RFC 5966 : DNS Transport over TCP - Implementation Requirements http://tools.ietf.org/html/rfc5966 {{{ This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation. }}} プロトコルを実装するときにはTCPを使えるようにしなければならない。 [[/Introduction]] {{{ At the time of writing, the vast majority of Top Level Domain (TLD) authority servers and all of the root name servers support TCP and the author knows of no evidence to suggest that TCP-based DoS attacks against existing DNS infrastructure are commonplace. }}} TCPで問い合わせすれば、UDPを使っていることの危険性(キャッシュ毒入れ)は避けられます。 [[DNS/tcp/qmail.jp]] {{{ Operators of recursive servers should ensure that they only accept connections from expected clients, and do not accept them from unknown sources. In the case of UDP traffic, this will help protect against reflector attacks [RFC5358] and in the case of TCP traffic it will prevent an unknown client from exhausting the server's limits on the number of concurrent connections. }}} TCPが使えるなら、EDNS0を使う理由はなにか。 ----- http://bridge.grumpy-troll.org/2011/02/dns-dont-implement-edns0-to-bypass.html {{{ I can see a horrible scenario where such setups use EDNS0 to indicate a capability for larger packet sizes but keep TCP turned off. As long as responses fit within the raised limit, this appears to work: they get all the data. But as soon as truncation happens anyway, they are suddenly left with *no* data and no ability to resolve even a subset of the information. }}} EDNS0 が使えるとしても、いずれはTCPが必要となる。その時に、... {{{ The moral of this story: if you implement EDNS0, you MUST implement TCP fallback too. }}} http://www.wdic.org/w/WDIC/DNS%E3%83%97%E3%83%AD%E3%83%88%E3%82%B3%E3%83%AB http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve {{{ Allow Both TCP and UDP Port 53 to Your DNS Servers DNS queries are getting bigger so we do not want to accidentally block them By Scott Hogg on Sun, 08/22/10 - 7:44pm. }}} https://lists.isc.org/pipermail/bind-users/2010-December/082104.html bind 9.7.2-P3 does not resolve www.microsoft.com http://internet.watch.impress.co.jp/docs/event/janog26/20100714_380523.html DNSSECでキャッシュDNSサーバーの負荷は確実に増大する ブロードバンドルーターには課題が多い [[./dnscacheをTCP専用化]] http://serverfault.com/questions/480516/tcp-upstream-in-unbound-doesnt-work-use-tcp-for-query-upstream-dns-servers-rea