[dns-operations] Always replying to UDP requests with TC=1, good practice or not
Ralf Weber
dns at fl1ger.de
Mon Oct 19 06:28:28 UTC 2015
Moin!
On 18 Oct 2015, at 20:33, bert hubert wrote:
> On Sun, Oct 18, 2015 at 05:21:50PM +0100, Shane Kerr wrote:
>> At BII we had to change source code on BIND and PowerDNS to test the
>> behavior. (With PowerDNS it was a one line change because there was
>> already an option to truncate all ANY queries.) :)
>
> So is this wise, I dont know. We have one relatively largescale
> resolver
> operator doing TC=1 for everything via dnsdist, and they report it
> works for
> them.
Interesting. My experiences with clients switching to TCP have been
mixed,
but my testing was a couple of years ago with CPEs primarily. Just out
of curiosity is the connection from dnsdist to the actual resolver also
TCP or is that UDP?
In general answering TC=1 for every query seems like a bad idea as it
triples the RTT for every query, as other said. On the authoritative
side this mitigated by resolvers caching. For this domain I didn't see
the truncate all behaviour when I tried to reach it, so maybe it was
something they did under attack. On the resolver side I am pretty sure
it would slow down things noticeably.
> I think this is a university campus with DoS issues caused by their
> residents.
That might explain why they don't complain (slow service still is
better than no service ;-).
So long
-Ralf
More information about the dns-operations
mailing list