Using TCP for DNS Queries
$ echo exit |telnet 192.168.1.5 53 Trying 192.168.1.5... Connected to 192.168.1.5. Escape character is '^]'. Connection closed by foreign host.
dig www.google.com @192.168.1.5 ; <<>> DiG 9.11.36-RedHat-9.11.36-8.el8_8.1 <<>> www.google.com @192.168.1.5 ;; global options: +cmd ;; connection timed out; no servers could be reached
Hmm, looks fishy, especially since I just used telnet to connect to port 53. Google-Fu OK, after some reading and thinking, telnet used TCP to connect to the port – DNS uses UDP. I bet that’s it. Let’s see if we can dig using TCP.
$ dig www.google.com @192.168.1.5 +tcp ; <<>> DiG 9.10.6 <<>> www.google.com @192.168.1.5 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58292 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 232 IN A 64.233.177.105 www.google.com. 232 IN A 64.233.177.106 www.google.com. 232 IN A 64.233.177.99 www.google.com. 232 IN A 64.233.177.104 www.google.com. 232 IN A 64.233.177.147 www.google.com. 232 IN A 64.233.177.103 ;; Query time: 19 msec ;; SERVER: 192.168.1.5#53(192.168.1.5) ;; WHEN: Thu Aug 03 09:07:05 EDT 2023 ;; MSG SIZE rcvd: 139
Well, look at that, we can use TCP for DNS. Now, how do I get NetworkManager to actually use TCP for DNS? Google-Fu Ah-ha! You can use nmcli to configure ipv4.dns-options and set “use-vc”. Let’s give it a whirl…
# cat /etc/resolv.conf # Generated by NetworkManager search internal.net nameserver 192.168.1.5 # nmcli con mod ens192 ipv4.dns-options "use-vc" # systemctl restart NetworkManager # cat /etc/resolv.conf # Generated by NetworkManager search internal.net nameserver 192.168.1.5 options use-vc
Alright, that did something. Now, let’s see if we can dig without using the “+tcp” option…hmm still times out. Does the host command work?
$ host www.google.com www.google.com has address 64.233.177.99 www.google.com has address 64.233.177.103 www.google.com has address 64.233.177.104 www.google.com has address 64.233.177.105 www.google.com has address 64.233.177.106 www.google.com has address 64.233.177.147 www.google.com has IPv6 address 2607:f8b0:4002:c09::67 www.google.com has IPv6 address 2607:f8b0:4002:c09::69 www.google.com has IPv6 address 2607:f8b0:4002:c09::6a www.google.com has IPv6 address 2607:f8b0:4002:c09::93
Yep, that did it. So we’re in business, using DNS over TCP by setting the option “use-vc”. Granted nobody will read this, but it’s here so I’ll remember it one day in the future, when I run across this again…