tcp-upstream in unbound doesn't work. Use TCP for query upstream DNS servers really work in the real world?

Question

Today I've been playing with some options in unbound.conf just for fun. I've enabled tcp-upstream but it doesn't work with some domains.

OS: OpenBSD current. Unbound: 1.4.19

Examples with tcp-upstream enabled:

--> dig www.google.com  

; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30362
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         43200   IN      A       173.194.34.210
www.google.com.         43200   IN      A       173.194.34.212
www.google.com.         43200   IN      A       173.194.34.211
www.google.com.         43200   IN      A       173.194.34.209
www.google.com.         43200   IN      A       173.194.34.208

;; Query time: 579 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:01:54 2013
;; MSG SIZE  rcvd: 112

--> dig www.facebook.com  

; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48116
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; Query time: 4529 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:02:05 2013
;; MSG SIZE  rcvd: 34

/var/log/messages shows this error for the facebook query:

unbound: [29654:0] error: tcp connect: Connection refused

With tcp-upstream disabled:

--> dig www.facebook.com  

; <<>> DiG 9.4.2-P2 <<>> www.facebook.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       43200   IN      CNAME   star.c10r.facebook.com.
star.c10r.facebook.com. 43200   IN      A       173.252.101.26

;; Query time: 692 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 20 01:06:20 2013
;; MSG SIZE  rcvd: 74

I guess the problem is some servers don't permit tcp clients. Some workaround for this issue? Is it tcp-upstream really usable in real world?.

I know UDP is a better protocol for DNS. I don't need answer like "use UDP instead". I'm only asking about of this problem with DNS over TCP and if this is reliable in the real world.

Answer 1

DNS works with small messages and responses most of the time (just do a spattering of random queries and think about the space needed for a compact representation of the query and the response). For this use UDP is ideal (no connection setup/teardown costs). Some queries have bulky answers (for instance, look at the output of nslookup -query=any google.com), which don't fit into a minimal UDP datagram. Those are asked and answered over TCP.

Answer 2

With the availability of EDNS (http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS) most DNS queries including IPv6 and DNSSEC can be answered using UDP. Hence many server providers do not allow incoming connections to TCP port 53. Use of TCP is usually restricted to zone transfers.

So if you are planning to create a recursive DNS server for local clients, it should be based on UDP as all servers support UDP, and most do not support TCP.

Answer 3

Check it out inside unbound documentation:

   outgoing-num-tcp: <number>
          Number  of  outgoing TCP buffers to allocate per thread. Default
          is 10. If set to 0, or if do_tcp is  "no",  no  TCP  queries  to
          authoritative servers are done.

   incoming-num-tcp: <number>
          Number  of  incoming TCP buffers to allocate per thread. Default
          is 10. If set to 0, or if do_tcp is "no", no  TCP  queries  from
          clients are accepted.