Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Read this in case you had issues surfing to when using my (Fusl) Tier2s

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Read this in case you had issues surfing to when using my (Fusl) Tier2s

Chronological Thread 
  • From: Fusl Dash <opennic AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Read this in case you had issues surfing to when using my (Fusl) Tier2s
  • Date: Fri, 20 Feb 2015 10:17:08 +0100

Hash: SHA1


On 02/19/2015 11:17 PM, Calum McAlinden wrote:
> I have seen this issue on a few servers. I believe it's caused by
> having a low max reply size of the server, which can be tested on
> the t2 test page. The only reason it happens with reddit is because
> they have loads of A records which push the answer section over the
> limit.

I thought about that already. On PowerDNS there is
"udp-truncation-threshold" that makes the Tier2 reply with a zero
sized DNS response and the truncated bit set so the client has to
retry in TCP mode. I haven't seen any case like that but got a similar
bug yesterday when trying to use dnscrypt-proxy with my Tier2's and
opening it simply fails. On tcpdump I see UDP queries
that get replied with truncated 0/0/0 sized responses, glibc then
retries with TCP, after that glibc again tries over UDP but this time
with ".site" appended to the domain (most likely because it thinks the
TCP response is somehow invalid and appends my local hostname domain).
The udp-truncation-threshold unfortunately has to be set on many of my
servers since they have been used in DNS amplification attacks very
often already and this solves 99% of those problems, but apparently
also brings some disadvantages.

Anyway... I will think about removing "udp-truncation-threshold" and
implementing some iptables rules that will hopefully help a little bit.

- --
Best regards

Fusl - root AT -
Version: GnuPG v2.0.22 (GNU/Linux)


Archive powered by MHonArc 2.6.19.

Top of Page