[dns-operations] A dns-proxy for DNS over HTTP(s)

Shane Kerr shane at time-travellers.org
Wed Aug 26 04:02:41 UTC 2015


On Tue, 25 Aug 2015 13:15:01 +0200
Jelte Jansen <jelte.jansen at sidn.nl> wrote:

> On 08/25/2015 11:29 AM, Stephane Bortzmeyer wrote:
> >
> > with UDP. (By the way, I would like to see a DNS service "public
> > resolver only reachable with TCP" using the normal DNS protocol. It
> > would be an useful looking glass, and would avoid the risks documented
> > in RFC 5358.)
> > 
> I have done some very preliminary experiments with this idea some time
> ago; I made a version of unbound that sent TC=1 to every UDP query, and
> only actually answered TCP queries.
> Unfortunately the first few machines I tried it with didn't appear to
> retry over TCP, so I didn't pursue further at that time. Might be
> willing to have another look at it if there's more people interested.

I'd be curious to see a survey of which stub resolvers could be
coerced into using TCP. :)

Presumably glibc (normally used by Linux systems) works, since it has
the "use-vc" option which forces all DNS lookups to TCP (although this
does not *necessarily* mean that TCP fallback works, of course):


Also, OpenBSD has a "options tcp" value to set this, and claims to
fallback properly to TCP if using UDP:


Anyway... interesting. :)



More information about the dns-operations mailing list