DNS Server UDP Query Limitation

info Nessus Plugin ID 18356
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote DNS server is not RFC1035 compliant.


A DNS server is running on this port but it only answers to UDP requests. This means that TCP requests are blocked by a firewall.

This configuration is not RFC-compliant. Contrary to common belief, TCP transport is not restricted to zone transfers (AXFR) :

- answers bigger than 512 bytes are always transmitted over TCP.
- for all other requests, UDP is only 'preferred' for performance reasons. i.e. RFC1035 (STD0013) does not forbid a DNS client from issuing its queries directly over TCP.


If you are sure that the DNS server will never return answers bigger than 512 bytes and that the client software prefers UDP (which is nearly certain), you may ignore this message.

See Also


Plugin Details

Severity: Info

ID: 18356

File Name: check_dns_tcp.nasl

Version: Revision: 1.16

Type: remote

Family: DNS

Published: 5/22/2005

Updated: 10/13/2015

Dependencies: dns_server.nasl, external_svc_ident.nasl

Vulnerability Information

Required KB Items: Settings/ThoroughTests