DNS Server UDP Query Limitation
Info Nessus Plugin ID 18356
SynopsisThe remote DNS server is not RFC1035 compliant.
DescriptionA DNS server is running on this port but it only answers to UDP
requests. This means that TCP requests are blocked by a firewall.
This configuration is not RFC-compliant. Contrary to common belief,
TCP transport is not restricted to zone transfers (AXFR) :
- answers bigger than 512 bytes are always transmitted
- for all other requests, UDP is only 'preferred' for
performance reasons. i.e. RFC1035 (STD0013) does not
forbid a DNS client from issuing its queries directly
SolutionIf you are sure that the DNS server will never return answers bigger
than 512 bytes and that the client software prefers UDP (which is
nearly certain), you may ignore this message.