[dns-operations] Force TCP for external quereis to Open Resolvers?
Paul Wouters
paul at nohats.ca
Sun Mar 31 16:54:23 UTC 2013
On Sun, 31 Mar 2013, Stephane Bortzmeyer wrote:
>> Say reply to queires from external networks with a short truncate
>> UDP to signal querier to turn to TCP?
>
> Even better, allow only TCP from the beginning. This would completely
> suppress the amplification (that you still have with the truncated
> response).
>
> As far as I know, no existing resolving software implements that so
> the only way to deploy this approach would be with instructing the
> firewall to block incoming UDP/53.
Not true. unbound allows you to only accept clients using TCP.
from "man unbound.conf":
do-udp: <yes or no>
Enable or disable whether UDP queries are answered or issued.
Default is yes.
do-tcp: <yes or no>
Enable or disable whether TCP queries are answered or issued.
Default is yes.
tcp-upstream: <yes or no>
Enable or disable whether the upstream queries use TCP only for
transport. Default is no. Useful in tunneling scenarios.
The tcp-upstream is there specifically for tunneling DNS over TCP, such
as when you want all DNS to go over the TOR network, or when UDP 53 is
being transparently proxied to a bad DNS proxy.
Paul
More information about the dns-operations
mailing list