Hello Petr,
This setup was not meant to address a specific problem or be implemented
in a production situation. I am running an experiment
and one of the criteria was for clients to connect with us via tcp only.
I don't have control on the clients (only nameserver) and relying on
whether clients have set certain flags is not a viable option in my case
unfortunately.
Best Regards,
Donika
On 01.10.21 10:47, Petr Menšík wrote:
Hi Donika,
I think it can be partially archieved by options use-vc in
/etc/resolv.conf on end clients. But I doubt every software would
process this flag, only part of them would use it. I doubt many daemons
doing direct DNS queries would follow such configuration.
Can you share why you are even attempting to move to TCP only? What is
your motivation? What should it solve?
Regards,
Petr
On 9/30/21 15:17, Donika Mirdita wrote:
Hello,
I have set up a nameserver and I would like to force all future client
requests to TCP only.
Essentially, one scenario would be for all UDP requests to be
countered with a packet that has the TC bit set so the connection
is retried via TCP. I want this rule to be applicable to all incoming
request, no actual data exchange
via UDPs, even for a simple dig request. I tried achieving this with
the following 2 strategies but with no success:
1. set split value to 1 (in the rate-limit argument in
named.conf.options)
2. I also tried to setup a response policy zone. I added the following
in named.conf.options
response-policy {
zone "rpz.example.com" policy tcp-only;
};
and the appropriate CNAME record for rpz-tcp-only. in
rpz.example.com.
Neither worked out.
I know this scenario is not compliant to standard DNS, it is only an
experimental setup.
I am using bind 9.16.1 and the OS is Ubuntu 20.04.
If anyone has ideas on how to achieve this with bind, it would be very
helpful.
Best Regards,
Donika Mirdita
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
