[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?
Tony Finch
dot at dotat.at
Wed Mar 16 11:45:31 UTC 2016
Dave Warren <davew at hireahit.com> wrote:
>
> Yet CloudFlare went further, disabling them over TCP as well. I'm a little
> disappointed by this as they're certainly a timesaver when troubleshooting
> (although I suppose that doesn't make any difference to them)
Hmm. Thinking about it further, you're probably right that from the point
of view of avoiding bad effects from abuse, it's OK to give a full reply
to ANY over TCP. I've amended my BIND patch to do that. (link below)
Cloudflare have two reasons for minimal ANY responses: to quell abusive
clients, and to avoid query amplification in the back-end of their DNS
implementation. Their servers are on-demand DNSSEC signing proxies, and
it's hard for them to assemble an ANY response. So they don't want to do
it over TCP almost as much as over UDP.
https://git.csx.cam.ac.uk/x/ucs/ipreg/bind9.git/commitdiff/04307dc9780fcaf3c5fd1aa9786156dd4dee8543
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
North Utsire, South Utsire, East Forties: Variable 3 or 4, becoming northerly
or northwesterly 4 or 5. Slight or moderate. Fog banks. Moderate or good,
occasionally very poor.
More information about the dns-operations
mailing list