KB-0299: Make CentrifyDC agent to use 'dns udp' to prevent security exposure?
How to make adjoin and adclient exclusively use 'dns udp' at all times to prevent security exposure?
Many a times DNS-over-TCP is considered much slower than DNS-over-UDP and is inherently much more vulnerable to denial-of-service attacks. Hence CentrifyDC agent uses DNS-over-UDP for querying the DNS servers by default. But if any of the following reasons apply, CentrifyDC agents start querying DNS server over TCP:
1. If DNS-over-UDP is blocked. 2. If DNS-over-UDP response is larger than 512 bytes.
In order to make CentrifyDC agent to exclusively use DNS queries over UDP, please make sure you have:
1. To block DNS traffic over TCP 2. Insure that no DNS response is bigger than 512 bytes. 3. Also check you still have "dns.forcetcp" parameter set to "false" in /etc/centrifydc/centrifydc.conf and
Blocking DNS traffic over TCP sporadically may lead adclient to go into disconnect state.