DNS over TCP mandatory?

Good day! During testing of my setup with different tools available on the internet, I mostly got good ratings. There is a specific tool however (which is loaded with a ton of checks for diverse best-practices and recommendations) where my setup is shown as complete failure. =) I am talking about https://check-your-website.server-daten.de/

Here, my DNS-servers (provided by deSEC) are the culprit for failing, as they don’t work via TCP. I was wondering why this could be such a problem, if the setup validates with all other tests I found.

I wrote to the developer, who informed me that TCP is an IANA-Requirement:

https://www.iana.org/help/nameserver-requirements

The name servers must answer DNS queries over both the UDP and TCP
protocols on port 53.

Do your servers only switch to TCP after the limit of 512 has been reached? Or is TCP generally disabled? What is your take on that?

Hi @airflow,

I find that most often the complaint is about the SOA get.desec.io.
and not the NS ns1.desec.io. or ns2.desec.org.

You can see it here
https://check-your-website.server-daten.de/?q=desec.io
and on one of my domain names here
https://check-your-website.server-daten.de/?q=petrifiedhaggis.net

I also see a Warning here Zonemaster in the Zone section.

I believe these are just over zealous tests finding lint out of nonissues.

Sure they do. You can test this yourself using e.g. the +tcp option of dig(1):
dig @ns1.desec.io +tcp example.com a

1 Like

You’re right. After some digging (pun intended) in the report of the tool it seems that it complains about the NS get.desec.io, which is for me reachable via TCP as well. But I can only test IPv4. The tool complains it’s not reachable via its IPv6 adress.

Fatal error: Nameserver doesn't support TCP connection: get.desec.io / 2a01:4f8:10a:1044:deec:642:ac10:80: Timeout

I don’t know. Perhaps it’s just an academic problem, as it’s working in the real world for all of us. But perhaps you are interested in the finding. I’ll ignore the outcome with this test-suite for now.

dig -6 @ns1.desec.io +tcp fails as does dig -6 @get.desec.io +tcp but dig -6 @ns2.desec.org +tcp works for me. That would seem to be a bug, i.e. all servers should respond to port 53 tcp on IPv4 and IPv6 I think.

$ host ns1.desec.io
ns1.desec.io has address 45.54.76.1
ns1.desec.io has IPv6 address 2607:f740:e633:deec::2
$ host ns2.desec.org
ns2.desec.org has address 157.53.224.1
ns2.desec.org has IPv6 address 2607:f740:e00a:deec::2
$ host get.desec.io  
get.desec.io has address 88.99.64.5
get.desec.io has IPv6 address 2a01:4f8:10a:1044:deec:642:ac10:80
$
1 Like