= DNS/TCP = <> <>   {{{ DNSはTCPを使う時代へ }}} ゾーンサーバ側ではDNS/TCPサポートが必須とされてきた。(2010年のRFC 5966以来)  そして、クライアントはUDPを試すことなく、いきなりTCPでqueryを送ってよい。 -- ToshinoriMaeno <> [[DNS/flag_days]] == RFC == DNS Transport over TCP - Implementation Requirements https://tools.ietf.org/html/rfc5966 (7766でobsoleteになる) August 2010 {{{ 4. Transport Protocol Selection All general-purpose DNS implementations MUST support both UDP and TCP transport. }}} https://tools.ietf.org/html/rfc7766  Category: Standards Track Specification for DNS over Transport Layer Security (TLS) https://tools.ietf.org/html/rfc7858 DNS Transport over TCP - Operational Requirements draft-ietf-dnsop-dns-tcp-requirements-01 Best Current Practice https://tools.ietf.org/html/draft-ietf-dnsop-dns-tcp-requirements-01 {{{ Abstract This document encourages the practice of permitting DNS messages to be carried over TCP on the Internet. It also describes some of the consequences of this behavior and the potential operational issues that can arise when this best common practice is not upheld. }}} == 調査 == DNS over TCP A Rudimentary Textual Analysis https://www.nanog.org/sites/default/files/nanog63-dnstrack-kristoff-dnstcp.pdf https://www.networkworld.com/article/2231682/cisco-subnet/cisco-subnet-allow-both-tcp-and-udp-port-53-to-your-dns-servers.html DNS over TCP as Seen From the Authoritative Server https://ns1.com/blog/dns-over-tcp-as-seen-from-the-authoritative-server [[/JP-domain]] の調査 == TCP拒否ドメイン == TCP queryに接続拒否ならいいのだが、返事をしないドメインもある。 [[/instagram.com]] [[/facebook.com]] [[/nsatc.net]] [[/heteml.jp]] [[/cgi.tbs.co.jp]] [[/cwidc.net]] [[/datahotel.ne.jp]] [[/datacenter.ne.jp]] [[/ripe.net]] == 部分的サポート == [[/dreamhost.com]] ---- dig +tcp に +noednsを付けないとFORMERRを返すサーバーもある。 == DNS/TCP RFC == https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/ https://tools.ietf.org/html/rfc5966 DNS Transport over TCP - Implementation Requirements {{{ Obsoleted by: 7766 Internet Engineering Task Force (IETF) R. Bellis Request for Comments: 5966 Nominet UK Updates: 1035, 1123 August 2010 Category: Standards Track ISSN: 2070-1721 }}} https://tools.ietf.org/html/rfc7766 {{{ Internet Engineering Task Force (IETF) J. Dickinson Request for Comments: 7766 S. Dickinson Obsoletes: 5966 Sinodun Updates: 1035, 1123 R. Bellis Category: Standards Track ISC ISSN: 2070-1721 A. Mankin D. Wessels Verisign Labs March 2016 }}} {{{ This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation. }}} {{{ Whilst this document makes no specific requirements for operators of DNS servers to meet, it does offer some suggestions to operators to help ensure that support for TCP on their servers and network is optimal. It should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) will probably result in resolution failure and/or application-level timeouts. }}} == ATR == https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/ Is it possible to make a hybrid approach for the #DNS — using #UDP when we can, and #TCP only when we must — faster and more robust? https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/ … == 本当に重要なのはセキュリティ == TCPを使うのが筋だろう。 -- ToshinoriMaeno <> UDPを使わせたいのであれば、Cookiesをサポートせよ。