force nameserver(bind) information exchanges with clients via tcp only
Donika Mirdita
donika.mirdita at sit.tu-darmstadt.de
Thu Sep 30 13:17:07 UTC 2021
Hello,
I have set up a nameserver and I would like to force all future client
requests to TCP only.
Essentially, one scenario would be for all UDP requests to be countered
with a packet that has the TC bit set so the connection
is retried via TCP. I want this rule to be applicable to all incoming
request, no actual data exchange
via UDPs, even for a simple dig request. I tried achieving this with the
following 2 strategies but with no success:
1. set split value to 1 (in the rate-limit argument in named.conf.options)
2. I also tried to setup a response policy zone. I added the following
in named.conf.options
response-policy {
zone "rpz.example.com" policy tcp-only;
};
and the appropriate CNAME record for rpz-tcp-only. in rpz.example.com.
Neither worked out.
I know this scenario is not compliant to standard DNS, it is only an
experimental setup.
I am using bind 9.16.1 and the OS is Ubuntu 20.04.
If anyone has ideas on how to achieve this with bind, it would be very
helpful.
Best Regards,
Donika Mirdita
More information about the bind-users
mailing list