Disabling TCP use causes issues?

Petr Špaček petr.spacek at nic.cz
Thu Aug 2 15:53:04 UTC 2018 

Hello Ray,

in general TCP is mandatory for proper DNS operation so I would
recommend you not to waste time on non-TCP DNS. It will just break in
various situations as you saw yourself.


Please see standard
https://tools.ietf.org/html/rfc7766
which reinforces mandate for TCP support in DNS:


          DNS Transport over TCP - Implementation Requirements

Abstract

   This document specifies the requirement for support of TCP as a
   transport protocol for DNS implementations and provides guidelines
...


1.  Introduction

   This document therefore updates the core DNS protocol specifications
   such that support for TCP is henceforth a REQUIRED part of a full DNS
   protocol implementation.

...

I hope it clarifies state of DNS in 2018.

Petr Špaček  @  CZ.NIC


On 2.8.2018 17:15, RayG via Unbound-users wrote:
> I decided to try using unbound without enabling TCP so I set “do-tcp: no”
> 
>  
> 
> Then I was using the program I have to copy over the settings file and
> this includes obtaining any updated roots.hints file from
> ftp.internic.net <ftp://ftp.internic.net> as
>ftp://ftp.internic.net/domain/named.cache“
> 
>  
> 
> However when I ran the program I was not able for some time, to reach
> the site.
> 
>  
> 
> I enabled verbose level 4 and I have a log from:
> 
>  
> 
> 02/08/2018 15:19:41 C:\Program Files\Unbound\unbound.exe[9192:0] info:
> start of service (unbound 1.7.4_20180716).
> 
>  
> 
> At the start I was getting:
> 
>  
> 
> C:\Program Files\Unbound>dig ftp.internic.net <ftp://ftp.internic.net>
> 
>  
> 
> ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net>
> 
> ;; global options: +cmd
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> Returned from DIG.
> 
>  
> 
> This carried on for some time until the response changed from the above to:
> 
>  
> 
> C:\Program Files\Unbound>dig ftp.internic.net <ftp://ftp.internic.net>
> 
>  
> 
> ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net>
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50179
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
>  
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;ftp.internic.net.              IN      A
> 
>  
> 
> ;; Query time: 0 msec
> 
> ;; SERVER: ::1#53(::1)
> 
> ;; WHEN: Thu Aug 02 15:30:31 GMT Summer Time 2018
> 
> ;; MSG SIZE  rcvd: 45
> 
>  
> 
> And then a bit later on I got:
> 
>  
> 
> ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net>
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37661
> 
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
>  
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;ftp.internic.net.              IN      A
> 
>  
> 
> ;; ANSWER SECTION:
> 
> ftp.internic.net <ftp://ftp.internic.net>.       1035    IN      CNAME  
> internicftp.vip.icann.org.
> 
> internicftp.vip.icann.org. 1036 IN      A       192.0.47.9
> 
>  
> 
> ;; Query time: 31 msec
> 
> ;; SERVER: ::1#53(::1)
> 
> ;; WHEN: Thu Aug 02 15:33:38 GMT Summer Time 2018
> 
> ;; MSG SIZE  rcvd: 100
> 
>  
> 
> The log is some 2.2MB so I did not want to attach is to this post
> 
>  
> 
> Here are what I hope are some salient clues from the log:
> 
>  
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] info:
> validator operate: query c.gtld-servers.net. A IN
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> querying for next missing target
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> return error response SERVFAIL
> 
>  
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] info:
> validator operate: query c.gtld-servers.net. A IN
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> validator: nextmodule returned
> 
> 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> cannot validate non-answer, rcode SERVFAIL
> 
>  
> 
> 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> request has dependency depth of 5
> 
> 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> request has exceeded the maximum dependency depth with depth of 5
> 
> 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> return error response SERVFAIL
> 
>  
> 
> 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> processQueryTargets: targetqueries 0, currentqueries 0 sentcount 33
> 
> 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> request has exceeded the maximum number of sends with 33
> 
> 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> return error response SERVFAIL
> 
>  
> 
> From the configuration file:
> 
>  
> 
>                 # Enable IPv4, "yes" or "no".
> 
>                 do-ip4: yes
> 
>  
> 
>                 # Enable IPv6, "yes" or "no".
> 
>                 do-ip6: yes
> 
>  
> 
>                 # Enable UDP, "yes" or "no".
> 
>                 do-udp: yes
> 
>  
> 
>                 # Enable TCP, "yes" or "no".
> 
>                 do-tcp: no
> 
>  
> 
> I also notice some of these lines in the log but TCP is not enabled?:
> 
>  
> 
> 02/08/2018 15:19:56 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> tcp error for address ip4 199.254.50.1 port 53 (len 16)
> 
> 02/08/2018 15:21:08 C:\Program Files\Unbound\unbound.exe[9192:1] debug:
> tcp error for address ip6 2620:74:19::33 port 53 (len 28)
> 
>  
> 
> Any thoughts?
> 
>  
> 
> Regards
> 
> Ray

More information about the Unbound-users mailing list