force nameserver(bind) information exchanges with clients via tcp only

Donika Mirdita donika.mirdita at sit.tu-darmstadt.de
Fri Oct 1 23:12:18 UTC 2021 

Hello Petr,

This setup was not meant to address a specific problem or be implemented 
in a production situation. I am running an experiment
and one of the criteria was for clients to connect with us via tcp only. 
I don't have control on the clients (only nameserver) and relying on
whether clients have set certain flags is not a viable option in my case 
unfortunately.

Best Regards,
Donika

On 01.10.21 10:47, Petr Menšík wrote:
> Hi Donika,
>
> I think it can be partially archieved by options use-vc in
> /etc/resolv.conf on end clients. But I doubt every software would
> process this flag, only part of them would use it. I doubt many daemons
> doing direct DNS queries would follow such configuration.
>
> Can you share why you are even attempting to move to TCP only? What is
> your motivation? What should it solve?
>
> Regards,
> Petr
>
> On 9/30/21 15:17, Donika Mirdita wrote:
>> Hello,
>>
>> I have set up a nameserver and I would like to force all future client
>> requests to TCP only.
>> Essentially, one scenario would be for all UDP requests to be
>> countered with a packet that has the TC bit set so the connection
>> is retried via TCP. I want this rule to be applicable to all incoming
>> request, no actual data exchange
>> via UDPs, even for a simple dig request. I tried achieving this with
>> the following 2 strategies but with no success:
>>
>> 1. set split value to 1 (in the rate-limit argument in
>> named.conf.options)
>>
>> 2. I also tried to setup a response policy zone. I added the following
>> in named.conf.options
>>
>>          response-policy {
>>                  zone "rpz.example.com" policy tcp-only;
>>          };
>>
>>       and the appropriate CNAME record for rpz-tcp-only. in
>> rpz.example.com.
>>
>> Neither worked out.
>>
>> I know this scenario is not compliant to standard DNS, it is only an
>> experimental setup.
>> I am using bind 9.16.1 and the OS is Ubuntu 20.04.
>> If anyone has ideas on how to achieve this with bind, it would be very
>> helpful.
>>
>> Best Regards,
>>
>> Donika Mirdita
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list