This article explains why some services work on TCP or UDP or both the protocols. In this article, we will explain the two most commonly services used in network environment: DNS and LDAP.
We often discuss why services use both the protocols i.e. TCP and UDP. These services can also relay on TCP instead of UDP because TCP is a connection-oriented protocol whereas UDP is connection-less then why uses UDP?
There are several reasons explained in this article:
The DNS works on TCP because TCP is a connection-oriented protocol and it requires data to be consistent at the destination whereas UDP is a connection-less protocol and doesn’t require data to be consistent or don’t need a connection to be established with host for consistency of data.
UDP packets are smaller in size and they can not be greater then 512 bytes. So any application needs data to be transferred greater than 512 bytes uses TCP.
For example, DNS uses both TCP and UDP for valid reasons described below: Note that UDP messages are not larger than 512 Bytes and are truncated when greater than this size. So DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.
We all know that there shouldn’t be any inconsistency in DNS zones – to make this happen DNS always transfer Zone data using TCP because TCP is reliable and make sure zone data is consistent by transferring the full zone to other DNS servers who has requested the data.
The problem occurs when Windows 2000 server and Advanced Server products uses Dynamic ports for all above 1023. In this case your DNS server should not be Internet facing i.e. doing all standard queries for client machines on the network. The router (ACLs) must permit all UDP inbound traffic to access any high UDP ports for it to work.
LDAP: LDAP always uses TCP. LDAP doesn’t use UDP because LDAP and Netlogon services at client side requires a secure channel to be established between KDC server and Client computer to send the data and this can be done only using TCP not UDP. UDP is only used when finding a domain controller (Kerberos) for authentication.