My network is built using a good separation of zones. It is set up so that I do most things myself and rely on third parties like an ISP only for the connection itself.
So I have servers on a seprate network, including a caching DNS server and a proxy. There is a LAN where our PC's and phones connect. Traffic is managed by the awesome Pfsense firewall.
Most surfing we do is via the proxy, but outbound http(s) from LAN is not prohibited. So recently I found that Youtube only works through the proxy and not directly. I checked all the usual suspects, did traceroutes etc and everything turned out ok.
Until I went to my terminal and tried some things:
$ http youtube.com HTTP/1.1 301 Moved Permanently Alternate-Protocol: 80:quic,p=0 Content-Length: 0 Content-Type: text/html Date: Fri, 31 Jul 2015 07:12:35 GMT Location: http://www.youtube.com/ Server: gwiseguy/2.0 X-XSS-Protection: 1; mode=block
Looks good, so we need to go to www.youtube.com
$ http www.youtube.com http: error: ConnectionError: HTTPConnectionPool(host='www.youtube.com', port=80): Max retries exceeded with url: / (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)
So, a DNS problem while we did find youtube.com?
$ host www.youtube.com ;; Truncated, retrying in TCP mode. ;; connection timed out; no servers could be reached
What caught my eye is 'Truncated, retrying in TCP mode', so doing the host command from the server network:
$ www.youtube.com ;; Truncated, retrying in TCP mode. www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 85.234.204.207 youtube-ui.l.google.com has address 85.234.204.211 youtube-ui.l.google.com has address 85.234.204.230 youtube-ui.l.google.com has address 85.234.204.221 youtube-ui.l.google.com has address 85.234.204.222 youtube-ui.l.google.com has address 85.234.204.215 youtube-ui.l.google.com has address 85.234.204.251 youtube-ui.l.google.com has address 85.234.204.245 youtube-ui.l.google.com has address 85.234.204.236 youtube-ui.l.google.com has address 85.234.204.241 youtube-ui.l.google.com has address 85.234.204.237 youtube-ui.l.google.com has address 85.234.204.226 youtube-ui.l.google.com has address 85.234.204.234 youtube-ui.l.google.com has address 85.234.204.249 youtube-ui.l.google.com has address 85.234.204.219 youtube-ui.l.google.com has IPv6 address 2a00:1450:400c:c02::5b
Same line but it does work,.. in TCP mode.
So back to the firewall and I see that traffic from LAN to SERVERS is allowed on port 53, UDP only. So I set it to allow UDP+TCP and bingo, youtube works on LAN without proxy.
The explanation is rather simple, the response for www.youtube.com is simply to big for UDP, so the client library falls back to TCP which I did not explicitly allow on my network, hence youtube was 'broken'
Conclusion
For a long time I've looked at DNS as a UDP based protocol that you could use over TCP if you wanted. This problem however shows that DNS relies on TCP to work, so we as system or network admins have to take that into consideration.
So, go forth and open TCP in your firewalls for port 53!