DNS primarily uses two transport protocols: UDP and TCP. Traditional DNS mainly uses UDP, but TCP is required in certain scenarios. Understanding when to use each protocol is important for optimizing DNS performance and reliability.
UDP vs TCP Comparison
| Feature | UDP | TCP |
|---|---|---|
| Connection | Connectionless | Connection-oriented |
| Reliability | Unreliable, may drop packets | Reliable, guaranteed delivery |
| Speed | Fast, low latency | Slow, requires handshake |
| Overhead | Small | Large (headers, handshake, acknowledgments) |
| Packet Size Limit | 512 bytes (traditional) | No limit |
| Default Port | 53 | 53 |
Scenarios Where DNS Uses UDP
Standard Queries
Applicable When:
- Most DNS queries
- Response less than 512 bytes
- No need for reliable transport guarantee
Workflow:
Client → UDP 53 → DNS Server ↓ DNS Server processes ↓ DNS Server → UDP 53 → Client
UDP Advantages
✅ Fast: No connection establishment, send directly ✅ Low Overhead: Header only 8 bytes ✅ Low Latency: Suitable for real-time queries ✅ Low Resource Usage: High server concurrency capability
UDP Limitations
❌ Unreliable: May drop packets, needs retransmission ❌ Packet Size Limit: Traditional DNS limits to 512 bytes ❌ No Order Guarantee: May arrive out of order
Scenarios Where DNS Uses TCP
1. Response Exceeds 512 Bytes
Trigger Conditions:
- DNSSEC signature data
- Large number of records (e.g., MX record list)
- EDNS0 supported large responses
Workflow:
Client → UDP query (response > 512 bytes) ↓ DNS Server sets TC (Truncated) flag ↓ Client receives TC flag ↓ Client → TCP 53 → DNS Server ↓ DNS Server → TCP 53 → Client (complete response)
Example:
# UDP query truncated $ dig @8.8.8.8 example.com ANY ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ; WARNING: Message truncated, retrying with TCP # Automatically retry with TCP
2. Zone Transfer
Applicable When:
- Master-slave DNS server data synchronization
- AXFR (full zone transfer)
- IXFR (incremental zone transfer)
Workflow:
Slave Server → TCP 53 → Master Server ↓ Master Server sends complete zone data ↓ Slave Server receives and updates
Configuration Example:
; Master server configuration zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.0.2.10; 192.0.2.11; }; }; ; Slave server configuration zone "example.com" { type slave; file "/etc/bind/db.example.com.slave"; masters { 192.0.2.1; }; };
3. DNS Dynamic Updates
Applicable When:
- DDNS (Dynamic DNS)
- Automated DNS record updates
- DHCP and DNS integration
Workflow:
DHCP Server → TCP 53 → DNS Server ↓ Update DNS records ↓ Confirm update success
4. EDNS0 Extensions
Trigger Conditions:
- DNSSEC queries
- Large responses
- Need extended functionality
EDNS0 Pseudo Record:
OPT PSEUDOSECTION: EDNS: version: 0, flags: do; udp: 4096
Role of EDNS0
Extend UDP Packet Size
Traditional Limit:
- UDP packet maximum 512 bytes
- Exceeding requires TCP
EDNS0 Extension:
Client declares support for larger UDP packets ↓ DNS Server can return larger responses ↓ Reduces need to switch to TCP
Example:
# EDNS0 declares support for 4096 byte UDP packets $ dig +dnssec @8.8.8.8 example.com ; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096
DNS over TCP Optimization
TCP Connection Reuse
Problem: Each TCP query requires connection establishment, high overhead
Optimization: Reuse TCP connections
Establish TCP connection ↓ Query 1 → Response 1 ↓ Query 2 → Response 2 (reuse connection) ↓ Query 3 → Response 3 (reuse connection) ↓ Close connection
DNS over TLS (DoT)
Client → TLS over TCP → DNS Server
- Encrypt DNS queries
- Use TCP for reliability
- Port 853
DNS over HTTPS (DoH)
Client → HTTPS (TLS over TCP) → DoH Server
- Encrypt DNS queries
- Use HTTP/2 protocol
- Port 443
Performance Comparison
Latency Comparison
| Scenario | UDP | TCP | Difference |
|---|---|---|---|
| Simple Query | 10-20ms | 40-60ms | TCP 2-3x slower |
| Large Response | Needs retry | 50-80ms | TCP more reliable |
| Zone Transfer | Not applicable | 100-500ms | TCP required |
Throughput Comparison
| Scenario | UDP | TCP |
|---|---|---|
| Concurrent Queries | High (no connection overhead) | Medium (connection limit) |
| Large Data Transfer | Poor (packet size limit) | Excellent (streaming) |
| Zone Transfer | Not applicable | Excellent |
Best Practices
1. Prioritize UDP
# Most queries use UDP dig @8.8.8.8 www.example.com # Default uses UDP nslookup www.example.com
2. Set EDNS0 Reasonably
; named.conf options { edns-udp-size 4096; max-udp-size 4096; };
3. Monitor TCP Usage Rate
# Monitor TCP query ratio # If TCP query ratio is too high, consider optimization
4. Optimize Zone Transfers
; Use incremental transfer (IXFR) zone "example.com" { type slave; file "/etc/bind/db.example.com.slave"; masters { 192.0.2.1; }; allow-notify { 192.0.2.1; }; };
Common Interview Questions
Q: Why does DNS primarily use UDP instead of TCP?
A:
- Performance: UDP doesn't need connection establishment, lower latency
- Low Overhead: UDP header only 8 bytes, TCP header 20 bytes
- Simple Queries: Most DNS query responses are less than 512 bytes
- Concurrency: UDP has no connection state, high server concurrency capability
Q: When does DNS use TCP?
A:
- Response exceeds 512 bytes (TC flag set)
- Zone transfer (AXFR/IXFR)
- DNS dynamic updates
- EDNS0 extended queries
- DNSSEC signature data
Q: What is EDNS0 and what does it do?
A: EDNS0 (Extension Mechanisms for DNS) is a DNS protocol extension, main purposes:
- Extend UDP packet size limit (from 512 to 4096 bytes)
- Support extended flags (like DNSSEC's DO flag)
- Reduce need to switch to TCP
Q: How much slower is DNS over TCP than UDP?
A:
- Connection Establishment: TCP needs 3-way handshake (about 10-30ms RTT)
- Simple Queries: TCP typically 2-3x slower than UDP
- Large Responses: TCP more reliable, avoids UDP retries
- Zone Transfers: TCP required, obvious performance advantage
Summary
| Aspect | UDP | TCP |
|---|---|---|
| Primary Use | Standard queries | Zone transfers, large responses |
| Performance | Fast, low latency | Slow, high latency |
| Reliability | Unreliable | Reliable |
| Packet Size | Limited to 512 bytes (traditional) | No limit |
| Applicable Scenarios | Most queries | DNSSEC, zone transfers, dynamic updates |
| Optimization Direction | EDNS0 extension | Connection reuse, TLS/HTTPS |