Hey everyone! I've come across some odd behavior with TCP connections on port 53, specifically related to our internal DNS servers. I'm more focused on networking and firewall aspects rather than being a Windows admin, so I'm a bit out of my comfort zone here. We've recently implemented a network performance monitoring tool that highlights issues, and right now, it's alarming us with numerous failed connections to DNS servers. Here's the situation: workstations across our network are attempting to establish connections to our DNS servers on TCP port 53 but aren't completing the 3-way handshake. The PCs send a TCP SYN to the DNS server, which responds with a SYN+ACK, but the PCs aren't replying with the final ACK. Instead, the server times out and sends a RST. I checked and confirmed that the SYN+ACK is reaching the PCs but they're just not responding. Meanwhile, DNS queries over UDP 53 are functioning perfectly. This weird behavior is occurring frequently—around every 30 seconds—from numerous PCs, giving us a bright red alert on our dashboard. I've contacted our Windows team with the details, but they aren't seeing any issues. Any ideas on what could be causing this?
5 Answers
It sounds like a client-side issue where the PCs aren't completing the TCP handshake. This could be due to misconfigured security software on the workstations. It might be worth checking those out and reviewing any network configurations on the devices.
Definitely dig into the workstations! Something's off.
Have you considered that these might be DNS over TLS requests? Though, they shouldn't typically be using port 53, so it's worth double-checking.
Right! TCP 53 is generally for standard DNS requests that were truncated, not for DNS over TLS.
It might also be a problem with security software or even an MTU issue affecting the TCP traffic. Those could cause such behavior too, so keep an eye out for those factors.
TCP port 53 is usually utilized for larger DNS responses, and with the rise of DNSSEC and large TXT records, it's more common for clients to make these requests. Do you happen to have IPv6 running internally? That could also lead to larger responses that necessitate TCP.
Since I'm not a Windows expert either, I'd suggest checking for any local firewalls on those desktops that might be interfering with operations. Those could block the return ACKs as well.
Got it. Time to start uninstalling agents one by one to see if that helps...