Domain Name Lookups using TCP

Daniel Smith · ‎11-17-2020

I have been working to 'take over' a turn key network that was built for our company. In the configuration update template, I added our corporate DNS servers, domain-name, and enabled DNS lookup. When testing the name lookups, it did not work right away due to the heavy use of zone based firewall. I added 'udp 53' where needed, but still no luck. Looking at the syslogs, I was surprised to see this:

003736: Nov 16 14:49:13.805 EST: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00003098400806902881 %FW-6-DROP_PKT: Dropping tcp pkt from internal0/0/rp:0 10.38.134.102:55711 => 10.70.0.1:53(target:class)-(zp-self-WAN:class-default) due to Policy drop:classify result with ip ident 47559 tcp flag 0x2, seq 2937331081, ack 0

For the test dns lookup that I did, the router shows that a TCP/53 message was blocked by the ZBF. I know that zone transfers are typically done on this port, but this was a simple name resolution request, and I was expecting UDP/53. This has me stumped, and I appreciate any guidance that might be forthcoming!

Georg Pauwen · ‎11-17-2020

Hello,

actually, DNS increasingly uses TCP port 53. The article below has a pretty good explanation:

https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-udp-port-53/

Joseph W. Doherty · ‎11-17-2020

Interesting article. Does make me wonder if host has enabled PMTUD, whether host will then try using a UDP packet that matches the host's local network connection's MTU.