On Sun, 31 Mar 2013, Stephane Bortzmeyer wrote:
Say reply to queires from external networks with a short truncate
UDP to signal querier to turn to TCP?
Even better, allow only TCP from the beginning. This would completely
suppress the amplification (that you still have with the truncated
response).
As far as I know, no existing resolving software implements that so
the only way to deploy this approach would be with instructing the
firewall to block incoming UDP/53.
Not true. unbound allows you to only accept clients using TCP.
from "man unbound.conf":
do-udp: <yes or no>
Enable or disable whether UDP queries are answered or issued.
Default is yes.
do-tcp: <yes or no>
Enable or disable whether TCP queries are answered or issued.
Default is yes.
tcp-upstream: <yes or no>
Enable or disable whether the upstream queries use TCP only for
transport. Default is no. Useful in tunneling scenarios.
The tcp-upstream is there specifically for tunneling DNS over TCP, such
as when you want all DNS to go over the TOR network, or when UDP 53 is
being transparently proxied to a bad DNS proxy.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
