force nameserver(bind) information exchanges with clients via tcp only

Petr Menšík pemensik at redhat.com
Fri Oct 1 08:47:10 UTC 2021 

Hi Donika,

I think it can be partially archieved by options use-vc in
/etc/resolv.conf on end clients. But I doubt every software would
process this flag, only part of them would use it. I doubt many daemons
doing direct DNS queries would follow such configuration.

Can you share why you are even attempting to move to TCP only? What is
your motivation? What should it solve?

Regards,
Petr

On 9/30/21 15:17, Donika Mirdita wrote:
> Hello,
>
> I have set up a nameserver and I would like to force all future client
> requests to TCP only.
> Essentially, one scenario would be for all UDP requests to be
> countered with a packet that has the TC bit set so the connection
> is retried via TCP. I want this rule to be applicable to all incoming
> request, no actual data exchange
> via UDPs, even for a simple dig request. I tried achieving this with
> the following 2 strategies but with no success:
>
> 1. set split value to 1 (in the rate-limit argument in
> named.conf.options)
>
> 2. I also tried to setup a response policy zone. I added the following
> in named.conf.options
>
>         response-policy {
>                 zone "rpz.example.com" policy tcp-only;
>         };
>
>      and the appropriate CNAME record for rpz-tcp-only. in
> rpz.example.com.
>
> Neither worked out.
>
> I know this scenario is not compliant to standard DNS, it is only an
> experimental setup.
> I am using bind 9.16.1 and the OS is Ubuntu 20.04.
> If anyone has ideas on how to achieve this with bind, it would be very
> helpful.
>
> Best Regards,
>
> Donika Mirdita
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list