[dnsdist] Matching corrupt DNS queries?

Remi Gacogne remi.gacogne at powerdns.com
Mon Aug 14 15:07:40 UTC 2023

Hi Jacob,

On 13/08/2023 13:07, Jacob Bunk Nielsen via dnsdist wrote:
> We are sometimes seeing UDP DNS queries that come in with the TC flag
> set to true. That doesn't make sense to send such queries as the client
> should of course just make that query over TCP.
> But how do I match those queries in dnsdist? The DNSHeader class has a
> :setTC() function, but not a :getTC() function.

Right, it was indeed missing. [1] adds it, and will likely be backported 
to 1.8.x.

> Also, it would be great
> to have a generic way to match on header flags like you can do on e.g.
> query types.
> Something like:
> HeaderRule(DNSFlags.TC, true)
> or similar, but I don't find anything like this in the docs.

I don't think we have such a rule yet, and I would gladly add it to 
dnsdist. Would you mind opening a feature request so it doesn't get 

[1]: https://github.com/PowerDNS/pdns/pull/13135

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230814/52af46bc/attachment.sig>

More information about the dnsdist mailing list