DNS Server UDP Query Limitation
Info Nessus Plugin ID 18356
SynopsisThe remote DNS server is not RFC1035 compliant.
DescriptionA DNS server is running on this port but it only answers to UDP requests. This means that TCP requests are blocked by a firewall.
This configuration is not RFC-compliant. Contrary to common belief, TCP transport is not restricted to zone transfers (AXFR) :
- answers bigger than 512 bytes are always transmitted over TCP.
- for all other requests, UDP is only 'preferred' for performance reasons. i.e. RFC1035 (STD0013) does not forbid a DNS client from issuing its queries directly over TCP.
SolutionIf you are sure that the DNS server will never return answers bigger than 512 bytes and that the client software prefers UDP (which is nearly certain), you may ignore this message.