0

I want to set up an experimental nameserver that asks clients to send requests via TCP only by sending back packets with the TC bit set. For that purpose I tried to work with the rate-limit parameter in the named.conf.options file but I couldnt make it work. I set:

    rate-limit {
            responses-per-second 1;
            slip 0;
    };

But if I make a dig request for an RR, the reply I get back does not have the TC bit set nor is it via tcp, it is still a udp packet. How do I force my server to only interact with tcp connections?

I am using bind9 and my OS is Ubuntu 20.04

Mnemosyne
  • 131
  • 1
  • 7
  • 1
    The bind RRL feature is here to combat abuse by too many queries, so it won't be triggered by a single one. "How do I force my server to only interact with tcp connections?" You won't be compliant anymore but for local tests it is fine: just drop UDP traffic. A client (but it depends which one) may then try again by using TCP. Have a look also maybe at `dnsdist` as a frontend, it has more elaborate engine to control the reply. – Patrick Mevzek Sep 29 '21 at 03:50
  • hello Patrick, do you mean changing the iptables to drop all incoming UDP packets? Is there no other less drastic alternative perhaps? – Mnemosyne Sep 29 '21 at 10:39
  • Yes, I meant that, and obviously it makes it not DNS compliant anymore, so not good for production. I have no other ideas besides what I wrote in my comment above, let us wait for others to provider other possible ideas as answers. – Patrick Mevzek Sep 29 '21 at 14:58

0 Answers0