我们能够使用dig tcp并验证查询是否已正确解析,但我们自己的AD集成(Server 2008)DNS服务器使用UDP进行转发查询,这将超时并在SERVFAIL中重新发送回原始客户端.
条件转发器的设置不提供协议选择:
RFC 1123说
a DNS resolver or server that is sending a non-zone-transfer query
MUST send a UDP query first.
……但这已经在5966年取代了
A resolver SHOULD send a UDP query first,but MAY elect to send a TCP
query instead if it has good reason to expect the response would be
truncated if it were sent over UDP
如果我在Server 2008上(最后一个RFC是2010年),这不是好兆头.有谁知道我可以强制我的转发器只使用TCP(或至少第一次)的方式?是否可以在任何其他DNS实现中,以防我必须将其中一个设置为中介?
对UDP数据包的这种限制似乎是不合理的,并确保它们的防火墙足够灵活,可以接受允许服务器通过UDP端口53发送请求的异常.
每当RFC说“应该”时,你最好遵循它所说的内容,以避免遇到未指定/不可预测的行为.正确的方法是仅在收到带有截断响应的UDP后才使用TCP.
UDP is not acceptable for zone transfers,but is the recommended method
for standard queries in the Internet.
RFC 2181(关于UDP截断的目标):
Where TC is set,the partial RRSet that would not completely fit may
be left in the response. When a DNS client receives a reply with TC
set,it should ignore that response,and query again,using a
mechanism,such as a TCP connection,that will permit larger replies.
他们最好有一个很好的理由不允许UDP 53(极不可能).
