Commit f1c7ad8a authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

DNS traffic is being shifted towards TCP to avoid fragmentation

Especially DNSSEC employs big payloads.  The original EDNS buffer size
of 4096 isn't recommended anymore, modern clients advertise 1232 bytes
instead (the glibc stub resolver uses the even more conservative 1200
bytes), and servers similarly truncate their responses to avoid having
them fragmented.  This initiates TCP fallback, which, if not allowed,
leads to "DANE error: tlsa lookup DEFER" failure messages from the
Exim remote_smtp transport (after a long connect timeout).

https://labs.apnic.net/?p=1390
https://dnsflagday.net/2020/
parent 1420d258
......@@ -38,7 +38,7 @@ table inet filter {
icmp type echo-request accept
}
chain new-out {
tcp dport { telnet, ssh, http, https, smtp, ldaps, whois, mysql, git } accept
tcp dport { telnet, ssh, domain, http, https, smtp, ldaps, whois, mysql, git } accept
udp dport { domain, snmp, 33434-33600 } accept
ip protocol icmp accept
ip daddr {{ lookup('dig','rspamd.mail.einfra.hu') }} tcp dport 11333 accept
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment