Closed mschirrmeister closed 3 years ago
The use case for this is as a front-end for your own server.
Queries are sent over UDP, but with a large advertised UDP response size, so that TCP is never necessary. Cloudflare and Google enforce a maximum UDP size to mitigate DDoS attack vectors, but these restrictions don't apply to a local server.
Anyway, TCP retries are implemented in 485afd5 . Thanks!
I love this doh-server because its small, very light and fast, even when the server is busy, it doesn't increase much on memory or CPU.
Just an idea if possible to add option to enable or disable the TCP?
Such an option can be added, but unless you are using a server explicitly configured to block UDP packets above the size of a valid response, it will never use TCP.
Also, only 1/10 of the connections are allowed to use TCP.
I guess Quad9 ignores the large advertised UDP response size for a few queries before finally sending an answer over UDP. In what scenario does your implementation from 485afd5 kick in? I tested it again with Quad9, but it does not retry with TCP.
But as you mentioned, I will use it with a local dns server next to it, who is doing all the classic dns work.
It should retry with TCP if it gets a truncated response.
It is unfortunately not doing the retry. I pulled the latest from github, ran again the cargo install
command and tested same way as above with Quad9.
Hello,
I noticed that if the configured upstream dns server has the truncate bit set, the doh-proxy does not retry via TCP. I think the standard is that a resolver should retry via TCP, if that tc bit is set. Is this a bug, or can there be anything configured?
Depending on the dns server, the doh-proxy returns either an empty response to the client or an error. I received an empty response when the server returned in his answer
Additional data
type OPT (9.9.9.9). If there was no additional data (1.1.1.1), then the client returns a message that the query failed.doh-proxy started with default 9.9.9.9
DNS query
doh-proxy started with cloudflare
DNS query
Besides the tcp retry, some dns servers seem to respond differently. If you try a lookup multiple times with 9.9.9.9 you will eventually get a large udp response, with fragmented packets.