[afnog] IIS & DNS

Brian Candler B.Candler at pobox.com
Tue Mar 7 20:11:04 EAT 2006


On Tue, Mar 07, 2006 at 01:06:36PM +0200, Mark Tinka wrote:
> I have a customer that is running IIS, and uses it to send 
> e-mail via DNS lookup.
> 
> The customer says IIS makes DNS queries on TCP port 53; 

IIS probably calls the Windows resolver library, and the resolver library
will make a DNS query. It can use either UDP or TCP port 53. Normally
resolvers don't choose TCP unless the response to a query is very large.
However they are quite entitled to use TCP if they wish, which means it's
not a good idea for your firewall to block this usage of DNS.

RFC 1034:

"In the Internet, queries are carried in UDP datagrams or over
TCP connections"

RFC 1035:

"4.2. Transport

The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit.  While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance.  Zone refresh activities
must use virtual circuits because of the need for reliable transfer.

The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal)."

Regards,

Brian.



More information about the afnog mailing list