These are chat archives for CZ-NIC/knot-resolver

4th
Dec 2018
Vladimír Čunát
@vcunat
Dec 04 2018 06:33
  1. oh I'm sorry, I misunderstood you. I shouldn't do such things at night :-) What I wrote is using TCP to upstream direction. You want to send TC flag over the UDP back to the client, and that doesn't have such a simple API.
    I'm offline for most of today.
Petr Špaček
@pspacek
Dec 04 2018 07:00
@Elctro Please note that there is no way to force client to communicate over TCP. We can only suggest switching to TCP using TC flag in DNS header but that's all we can do - for this set TC bit in module as usual.
Petr Špaček
@pspacek
Dec 04 2018 07:12
@Elctro Ad your feature request: At the moment we have a lot of feature requests and have to prioritize, so we cannot promise it gets delivered soon. As usual priority is given to customers with formal support agreement so you might consider becoming one: https://www.knot-resolver.cz/support/
Elctro
@Elctro
Dec 04 2018 09:58
I understand that forcing such a switch is not mandatory, but optional switch is sufficient for my needs. I want to make a module that prevents attacks. During a peak I want to ask client kindly to switch to TCP (ip is now limited) so a normal client can still use the DNS unblocked. If request is ignored and attack continues
(ip becomes blocked) I want to drop all incoming requests as soon as possible. After a while a state change from blocked to limited would occur, and after few more moents it would go back to normal.
Elctro
@Elctro
Dec 04 2018 10:06
I can achieve this already, but I at critical point I am not sure whether the ongoing peak is an attack or somebody opened just hundred of web pages at the same time. If I had option to ask client to switch to TCP, it I'd feel more comfortable when setting the blocked stage for the attackers.
Elctro
@Elctro
Dec 04 2018 10:23
@pspacek ok, thanks for the link, we will consider it
Petr Špaček
@pspacek
Dec 04 2018 14:55
@Elctro Maybe there is some misunderstanding. You already can write a module which sets TC bit in answers (or at least I'm not aware of anything preventing that). Feature which is not available at moment is just dropping answers.