Discuss mailing list

[Fusl Dash <opennic AT lists.dedilink.eu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 02/19/2015 11:17 PM, Calum McAlinden wrote:
> I have seen this issue on a few servers. I believe it's caused by
> having a low max reply size of the server, which can be tested on
> the t2 test page. The only reason it happens with reddit is because
> they have loads of A records which push the answer section over the
> limit.

I thought about that already. On PowerDNS there is
"udp-truncation-threshold" that makes the Tier2 reply with a zero
sized DNS response and the truncated bit set so the client has to
retry in TCP mode. I haven't seen any case like that but got a similar
bug yesterday when trying to use dnscrypt-proxy with my Tier2's and
opening www.reddit.com it simply fails. On tcpdump I see UDP queries
that get replied with truncated 0/0/0 sized responses, glibc then
retries with TCP, after that glibc again tries over UDP but this time
with ".site" appended to the domain (most likely because it thinks the
TCP response is somehow invalid and appends my local hostname domain).
The udp-truncation-threshold unfortunately has to be set on many of my
servers since they have been used in DNS amplification attacks very
often already and this solves 99% of those problems, but apparently
also brings some disadvantages.

Anyway... I will think about removing "udp-truncation-threshold" and
implementing some iptables rules that will hopefully help a little bit.

- -- 
Best regards

Fusl - root AT meo.ws - http://meo.ws/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJU5vuUAAoJELAaqP3QtzpM7xIH/iwfjQVQukP1jYEBKstf9zxP
WiedWa9iMzeKbfg0VZusTOyMkY+tKV7QrLtvA+FDWlJdnC40wXfDfhayh4U3LRSg
jWQD1K8A2fbPNfza8XEI+kslik94zkkWrLXIThvqUBBFjaK8f7JaTyL5MQRw49Pl
N5X8RNer7QIEdkln/jR2szWbO9qm9uP5t8byVDesa9uCR1l29tD85ri4OD0V644P
sFhMur3/0xpvzDiu4N3htN2HU2lTjqY5IDFmpjpEazqexJU9llMbXztD5MBhAxSv
Y8Btky9RjaMFOCCP2ROX4nfrwrLgWw+NU3QNTvroEMCQzF5giV1CFCR5CHPpXY0=
=W2SD
-----END PGP SIGNATURE-----