force nameserver(bind) information exchanges with clients via tcp only

Ondřej Surý ondrej at isc.org
Sat Oct 2 06:53:28 UTC 2021


Hi Donika,

I would recommend adding dnsdist proxy on top of BIND 9. I believe it has all the tools you need (TCPRule as selector and TCAction to truncate).

You can run dnsdist on external interface and named on localhost. Using the right tool for the job is half of the success ;)

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 2. 10. 2021, at 1:12, Donika Mirdita <donika.mirdita at sit.tu-darmstadt.de> wrote:
> 
> Hello Petr,
> 
> This setup was not meant to address a specific problem or be implemented in a production situation. I am running an experiment
> and one of the criteria was for clients to connect with us via tcp only. I don't have control on the clients (only nameserver) and relying on
> whether clients have set certain flags is not a viable option in my case unfortunately.
> 
> Best Regards,
> Donika
> 
>> On 01.10.21 10:47, Petr Menšík wrote:
>> Hi Donika,
>> 
>> I think it can be partially archieved by options use-vc in
>> /etc/resolv.conf on end clients. But I doubt every software would
>> process this flag, only part of them would use it. I doubt many daemons
>> doing direct DNS queries would follow such configuration.
>> 
>> Can you share why you are even attempting to move to TCP only? What is
>> your motivation? What should it solve?
>> 
>> Regards,
>> Petr
>> 
>>> On 9/30/21 15:17, Donika Mirdita wrote:
>>> Hello,
>>> 
>>> I have set up a nameserver and I would like to force all future client
>>> requests to TCP only.
>>> Essentially, one scenario would be for all UDP requests to be
>>> countered with a packet that has the TC bit set so the connection
>>> is retried via TCP. I want this rule to be applicable to all incoming
>>> request, no actual data exchange
>>> via UDPs, even for a simple dig request. I tried achieving this with
>>> the following 2 strategies but with no success:
>>> 
>>> 1. set split value to 1 (in the rate-limit argument in
>>> named.conf.options)
>>> 
>>> 2. I also tried to setup a response policy zone. I added the following
>>> in named.conf.options
>>> 
>>>         response-policy {
>>>                 zone "rpz.example.com" policy tcp-only;
>>>         };
>>> 
>>>      and the appropriate CNAME record for rpz-tcp-only. in
>>> rpz.example.com.
>>> 
>>> Neither worked out.
>>> 
>>> I know this scenario is not compliant to standard DNS, it is only an
>>> experimental setup.
>>> I am using bind 9.16.1 and the OS is Ubuntu 20.04.
>>> If anyone has ideas on how to achieve this with bind, it would be very
>>> helpful.
>>> 
>>> Best Regards,
>>> 
>>> Donika Mirdita
>>> 
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list