[dns-operations] Always replying to UDP requests with TC=1, good practice or not
bert hubert
bert.hubert at netherlabs.nl
Sun Oct 18 18:33:19 UTC 2015
On Sun, Oct 18, 2015 at 05:21:50PM +0100, Shane Kerr wrote:
> At BII we had to change source code on BIND and PowerDNS to test the
> behavior. (With PowerDNS it was a one line change because there was
> already an option to truncate all ANY queries.) :)
So is this wise, I dont know. We have one relatively largescale resolver
operator doing TC=1 for everything via dnsdist, and they report it works for
them.
I think this is a university campus with DoS issues caused by their
residents.
You can configure this as follows in dnsdist:
addAction({"0.0.0.0/0", "::/0"}, tcAction())
There are other ways of achieving the same effect too.
Bert
More information about the dns-operations
mailing list