back to article Alpine Linux 3.18 fixes DNS over TCP issue, now ready for all the internet's problems

The latest update to the ultra-lightweight Alpine Linux distro, as widely used for hosting Docker containers, fixes an important issue. There are many relatively small new features in Alpine 3.18, but one of them, while niche, could prove significant. One of several unusual things about Alpine Linux is that it doesn't use …

  1. JanCeuleers

    The "so what" portion is missing from the article

    I'm not an expert, but one reason I'm aware of why DNS over TCP is required is that only over TCP can large DNS replies be handled (such as when looking up TXT records in the context of SPF verifications done by incoming mail servers). Since UDP does not guarantee that segments are transmitted in order, or indeed at all, segmentation of large packets is supported only over TCP. The RFCs say that a DNS query initially made over UDP must be retried over TCP if the reply was too large to fit into a single packet.

    1. MatthewSt Silver badge

      Re: The "so what" portion is missing from the article

      I believe DNS over TLS and DNS over HTTPS also make use of TCP (if they fall under this category).

  2. DougMac

    DNS over TCP is used anytime the response is over 512 characters.

    With DNSSec, SPF records, DKIM records, large MX record sets, etc. all being over 512 characters, not being able to receive a DNS packet response over TCP is a severe deficiency.

    If all you are doing is looking up web site addresses, it might not be such an issue, but if you are doing email in what-so-ever fashion, most likely things were failing left and right for Alpine users.

    1. Bebu Silver badge
      Windows

      dns udp v tcp

      Modern DNS can handle udp responses > 512 bytes with extensions (EDNS0) but middleware boxes can sabotage this so falling back to tcp is still vital.

      I vaguely recall sites running DJB's qmail stopped taking to us when our MX records didn't fit into 512 bytes and for some strange DJB reason qmail's resolver code didn't fall back to tcp or some such. The embarrassment of MX records was only during a transition from one set of mail servers and services to another and once completed "normal" service for qmail was restored.

      So I can imagine Alpine Linux users might have found this omission from their libc an irritation. If I were stuck in this situation I would intercalate a functional intercept libresolv.so shared library. Had to do this when hardening some Irix 6.5 boxes many years ago.

  3. eszklar
    Pint

    Sony Vaio P VGN-P11Z

    Thumbs up for Liam using this machine. I too have one but am currently running MX Linux XFCE 32-bit on it. Love it to bits, wish there was an ARM version of this machine form-factor.

    As to Alpine Linux with this particular version, will consider it if I come across a another machine like the Vaio P.

    Cheers Liam.

  4. razorfishsl

    The whole UDP case was for SPEED.....

    over TCP, you have to setup a formal connection , do your communication , verify the data, hold it open until you get it all, then tear it down.

    as a result it is easier to DOS in tcp than over UDP ,as regards to taking hte DNS down..., then there is the issue with FIN packets...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like