From bb1be83061a5c0e59856d6facf5a28a808d118bc Mon Sep 17 00:00:00 2001
From: Horia Racoviceanu <horia@racoviceanu.com>
Date: Thu, 22 Mar 2018 17:35:39 -0400
Subject: [PATCH] Use rfc7766

---
 UPGRADE.md      | 7 ++++++-
 src/etc/pf.conf | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/UPGRADE.md b/UPGRADE.md
index 217e109..4d1af74 100644
--- a/UPGRADE.md
+++ b/UPGRADE.md
@@ -17,6 +17,11 @@ Disable block log in pf, with small /var/log:
 cp src/etc/pf.conf.anchor.block /etc/
 ```
 
+DNS Transport over TCP ([rfc7766](https://tools.ietf.org/html/rfc7766)):
+```sh
+awk '/port domain/{sub(/udp/, "{ tcp udp }", last)} NR>1{print last} {last=$0} END {print last}' /etc/pf.conf > /tmp/pf.conf && cp /tmp/pf.conf /etc/pf.conf && rm /tmp/pf.conf
+```
+
 Include quota usage in daily stats, with formatting for small screens:
 ```sh
 crontab -e
@@ -54,7 +59,7 @@ crontab -e
 
 *n.b.*: Unbound configured to use ~10MB RAM
 ```sh
-ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'  
+ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'
 > RSS for _unbound 6.66406MB
 ```
 
diff --git a/src/etc/pf.conf b/src/etc/pf.conf
index 990e6be..0727c6a 100644
--- a/src/etc/pf.conf
+++ b/src/etc/pf.conf
@@ -70,7 +70,7 @@ anchor "external" on egress {
  # Outbound
  anchor out proto { tcp udp } from (egress) {
   # DNS
-  pass log (user) proto udp \
+  pass log (user) proto { tcp udp } \
    to port domain \
    tag SELF_INET