Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Name servers not allowing TCP connections to be found

Author: Government Security Group

Name servers not allowing TCP connections to be found

Impact: High
Common error ID: wxa-1011

What this means

DNS queries can be made over both UDP and TCP. The IETF DNS Transport over TCP describes the implementation requirements.

If name servers do not allow TCP connections, certain DNS queries, especially those that require larger responses, may fail.

Why this is a problem

Blocking TCP connections can lead to incomplete DNS responses and failures in DNS resolution, particularly for DNSSEC-signed zones or large DNS responses.

It can also cause outbound email delivery failure if a domain’s TXT records cannot be read by the receiving email service, and SPF validation fails.

How to check if the problem is still there

Use the dig command with the +tcp option against a specific name server to test if it responds to TCP queries.

Example

Find the name servers.

dig ns example.gov.uk +short

ns1.example.gov.uk
ns2.example.gov.uk

Query each name server in turn to see if responds to queries over TCP.

dig +tcp example.gov.uk @ns1.example.gov.uk
203.0.113.0

If the query fails, the problem remains.

How to fix it

Enable TCP port 53 on your name servers and any network infrastructure that routes DNS query data to and from the server.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now