[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Ralf Weber dns at fl1ger.de
Mon Oct 19 06:28:28 UTC 2015


On 18 Oct 2015, at 20:33, bert hubert wrote:

> On Sun, Oct 18, 2015 at 05:21:50PM +0100, Shane Kerr wrote:
>> At BII we had to change source code on BIND and PowerDNS to test the
>> behavior.  (With PowerDNS it was a one line change because there was
>> already an option to truncate all ANY queries.) :)
> So is this wise, I dont know. We have one relatively largescale 
> resolver
> operator doing TC=1 for everything via dnsdist, and they report it 
> works for
> them.
Interesting. My experiences with clients switching to TCP have been 
but my testing was a couple of years ago with CPEs primarily. Just out
of curiosity is the connection from dnsdist to the actual resolver also
TCP or is that UDP?

In general answering TC=1 for every query seems like a bad idea as it
triples the RTT for every query, as other said. On the authoritative
side this mitigated by resolvers caching. For this domain I didn't see
the truncate all behaviour when I tried to reach it, so maybe it was
something they did under attack. On the resolver side I am pretty sure
it would slow down things noticeably.

> I think this is a university campus with DoS issues caused by their
> residents.
That might explain why they don't complain (slow service still is
better than no service ;-).

So long

More information about the dns-operations mailing list