Saturday, March 26, 2016

What protocol (TCP or UDP) DNS server uses when a client queries?

By default DNS server will serve all client queries with UDP protocol on 53 port. One reason for this selection of protocol is to get faster answers from DNS Server to the client. The UDP protocol do not require any handshake like TCP before the connection establishment.
Many people new to Linux do not know that we can change the protocol when querying using DNS tools. There is way we can force our DNS queries to use TCP connection instead of UDP connection. Let us see how to force DNS clients like nslookup, dig to use TCP protocol rather than UDP protocol.

Using nslookup:
Example1: Query linuxnix.com after setting vc option
Example
 
[root@localhost fd]# nslookup

 > set vc

 > linuxnix.com

 Server:        192.168.40.2

 Address:    192.168.40.2#53 Non-authoritative answer:

 Name:    linuxnix.com

 Address: 141.101.117.13

 Name:    linuxnix.com

 Address: 141.101.116.13

 > exit [root@localhost fd]#
Corsponding TCPDUMP output:
[root@localhost surendra]# tcpdump -i eth0 tcp port 53
 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

 09:20:56.949852 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [S], seq 1153779393, win 5840, options [mss 1460,sackOK,TS val 68892286 ecr 0,nop,wscale 6], length 0

 09:20:57.009898 IP 192.168.40.2.domain > 192.168.40.128.48213: Flags [S.], seq 161618490, ack 1153779394, win 64240, options [mss 1460], length 0

 09:20:57.009953 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [.], ack 1, win 5840, length 0

 09:20:57.012126 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [P.], seq 1:33, ack 1, win 5840, length 3238272+ A? linuxnix.com. (30)

 09:20:57.012435 IP 192.168.40.2.domain > 192.168.40.128.48213: Flags [.], ack 33, win 64240, length 0

 09:20:57.015475 IP 192.168.40.2.domain > 192.168.40.128.48213: Flags [P.], seq 1:65, ack 33, win 64240, length 6438272 2/0/0 A 141.101.117.13, A 141.101.116.13 (62)

 09:20:57.015522 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [.], ack 65, win 5840, length 0

 09:20:57.016674 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [F.], seq 33, ack 65, win 5840, length 0

 09:20:57.017209 IP 192.168.40.2.domain > 192.168.40.128.48213: Flags [.], ack 34, win 64239, length 0

 09:20:57.020220 IP 192.168.40.2.domain > 192.168.40.128.48213: Flags [FP.], seq 65, ack 34, win 64239, length 0

 09:20:57.020269 IP 192.168.40.128.48213 > 192.168.40.2.domain: Flags [.], ack 66, win 5840, length 0

Example2: Forcing dig to use tcp connection by using +tcp option as shown below.
 [root@localhost fd]# dig +tcp linuxnix.com ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> +tcp linuxnix.com

 ;; global options: +cmd

 ;; Got answer:

 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16760

 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:

 ;linuxnix.com.            IN    A ;; ANSWER SECTION:

 linuxnix.com.        143    IN    A    141.101.116.13

 linuxnix.com.        143    IN    A    141.101.117.13 ;; Query time: 7 msec

 ;; SERVER: 192.168.40.2#53(192.168.40.2)

 ;; WHEN: Tue Nov 26 09:21:50 2013

 ;; MSG SIZE  rcvd: 62
Corsponding TCPDUMP output:
 09:21:50.294476 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [S], seq 1984885075, win 5840, options [mss 1460,sackOK,TS val 68945630 ecr 0,nop,wscale 6], length 0

 09:21:50.298193 IP 192.168.40.2.domain > 192.168.40.128.43512: Flags [S.], seq 364468889, ack 1984885076, win 64240, options [mss 1460], length 0

 09:21:50.298273 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [.], ack 1, win 5840, length 0

 09:21:50.298677 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [P.], seq 1:33, ack 1, win 5840, length 3216760+ A? linuxnix.com. (30)

 09:21:50.299053 IP 192.168.40.2.domain > 192.168.40.128.43512: Flags [.], ack 33, win 64240, length 0

 09:21:50.302191 IP 192.168.40.2.domain > 192.168.40.128.43512: Flags [P.], seq 1:65, ack 33, win 64240, length 6416760 2/0/0 A 141.101.116.13, A 141.101.117.13 (62)

 09:21:50.302339 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [.], ack 65, win 5840, length 0

 09:21:50.307300 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [F.], seq 33, ack 65, win 5840, length 0

 09:21:50.308262 IP 192.168.40.2.domain > 192.168.40.128.43512: Flags [.], ack 34, win 64239, length 0

 09:21:50.310440 IP 192.168.40.2.domain > 192.168.40.128.43512: Flags [FP.], seq 65, ack 34, win 64239, length 0

 09:21:50.310483 IP 192.168.40.128.43512 > 192.168.40.2.domain: Flags [.], ack 66, win 5840, length 0

Conclusion is we can force DNS server to respond to our TCP queries and one more point to note is that for zone transfers DNS uses TCP protocol.

No comments:

Post a Comment