Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-0299: Make CentrifyDC agent to use 'dns udp' to prevent security exposure?

Authentication Service ,  

12 April,16 at 11:30 AM


How to make adjoin and adclient exclusively use 'dns udp' at all times to prevent security exposure?


Many a times DNS-over-TCP is considered much slower than DNS-over-UDP and is inherently much more vulnerable to denial-of-service attacks. Hence CentrifyDC agent uses DNS-over-UDP for querying the DNS servers by default. But if any of the following reasons apply, CentrifyDC agents start querying DNS server over TCP:

1. If DNS-over-UDP is blocked.
2. If DNS-over-UDP response is larger than 512 bytes.

In order to make CentrifyDC agent to exclusively use DNS queries over UDP, please make sure you have:

1. To block DNS traffic over TCP
2. Insure that no DNS response is bigger than 512 bytes.
3. Also check you still have "dns.forcetcp" parameter set to "false" in /etc/centrifydc/centrifydc.conf and

Blocking DNS traffic over TCP sporadically may lead adclient to go into disconnect state.