Use rfc7766

vedetta-com · Mar 22, 2018 · bb1be83 · bb1be83
1 parent 7ae2aab
commit bb1be83
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -17,6 +17,11 @@ Disable block log in pf, with small /var/log:
 cp src/etc/pf.conf.anchor.block /etc/
 ```
 
+DNS Transport over TCP ([rfc7766](https://tools.ietf.org/html/rfc7766)):
+```sh
+awk '/port domain/{sub(/udp/, "{ tcp udp }", last)} NR>1{print last} {last=$0} END {print last}' /etc/pf.conf > /tmp/pf.conf && cp /tmp/pf.conf /etc/pf.conf && rm /tmp/pf.conf
+```
+
 Include quota usage in daily stats, with formatting for small screens:
 ```sh
 crontab -e
@@ -54,7 +59,7 @@ crontab -e
 
 *n.b.*: Unbound configured to use ~10MB RAM
 ```sh
-ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'  
+ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'
 > RSS for _unbound 6.66406MB
 ```
 

diff --git a/src/etc/pf.conf b/src/etc/pf.conf
@@ -70,7 +70,7 @@ anchor "external" on egress {
  # Outbound
  anchor out proto { tcp udp } from (egress) {
   # DNS
-  pass log (user) proto udp \
+  pass log (user) proto { tcp udp } \
    to port domain \
    tag SELF_INET