How to Force BIND DNS Forwarder to Use TCP Mode Instead of UDP for Large Responses


2 views

When working with complex DNS architectures involving both authoritative and forwarding servers, we often encounter the ";; Truncated, retrying in TCP mode" message. This occurs when DNS responses exceed the UDP packet size limit (typically 512 bytes for legacy systems, though EDNS0 allows larger sizes).

In your specific case with BIND 9.6 on SLES10:

options {
    directory "/var/named";
    forwarders { 192.168.1.10; 192.168.1.11; };
    forward only;
    // Traditional approach would stop here
};

BIND doesn't provide a direct "forward-over-tcp-only" option, but we can implement a workaround:

options {
    // Force TCP for responses that would be truncated
    max-udp-size 0;  // Effectively disables UDP by setting size to zero
    transfer-format many-answers;  // Allows multi-packet TCP responses
};

server 192.168.1.10 {  // Your Windows DNS server IP
    transfer-format many-answers;
    support-ixfr no;  // Disable incremental transfers if needed
};

server 192.168.1.11 {  // Secondary Windows DNS
    transfer-format many-answers;
};

While forcing TCP ensures complete responses, be aware of these impacts:

  • TCP connection overhead (3-way handshake) for each query
  • Higher memory usage per connection
  • Potential timeouts with misconfigured remote servers

For BIND 9.8+ users, consider response policy zones to rewrite oversized answers:

response-policy { 
    zone "public.internal"; 
} qname-wait-recurse no max-policy-ttl 300;

After configuration, validate with:

dig +tcp @your-bind-server public.internal. SOA
dig +notcp @your-bind-server public.internal. SOA

Analyze packet flow with tcpdump:

tcpdump -i any -n port 53 -w dns-traffic.pcap

When working with BIND 9.6 on SLES10 as both a secondary DNS server and forwarder, you might encounter the ";; Truncated, retrying in TCP mode" error. This occurs because:

  • The initial UDP query exceeds the 512-byte limit (common with large NS records)
  • TCP fallback introduces additional latency
  • Some legacy systems might not properly handle TCP fallback

To force TCP queries to forwarders, modify your named.conf:

options {
    forward only;
    forwarders {
        192.168.1.10 port 53 tcp-only;
        192.168.1.11 port 53 tcp-only;
    };
    allow-transfer { none; };
    allow-query { any; };
};

When implementing TCP-only forwarding:

  • Verify your Windows DNS servers support TCP (all modern versions do)
  • Check firewall rules permit TCP/53 between servers
  • Monitor connection pool usage with rndc stats

TCP connections add overhead. Improve efficiency with:

options {
    tcp-clients 1000;
    tcp-listen-queue 100;
    transfers-in 10;
    transfers-per-ns 2;
};

Use these diagnostic commands:

# Verify TCP connectivity
nc -zv forwarder.example.com 53

# Check query protocol with tcpdump
tcpdump -i eth0 'port 53 and host forwarder.example.com'

# Test with dig forcing TCP
dig +tcp @forwarder.example.com example.com NS

For modern environments, consider enabling EDNS0 instead:

options {
    edns-udp-size 4096;
    max-udp-size 4096;
};

This allows larger UDP payloads while maintaining compatibility with TCP fallback.