Thomas Hood <> writes:

> After "iptables -I OUTPUT -p udp -m udp --dport 53 -j DROP" the output of
> the program is the same whether hosts="" or "".

from the test:

"to easily reproduce, fake packet loss/overloaded dns server
on linux do something like:
# iptables -I OUTPUT -p udp -m udp --dport 53 -j DROP 
# iptables -I OUTPUT -p udp -m udp --dport 53 -j LOG --log-prefix "DROP DNS 
# iptables -I OUTPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j ACCEPT 

all 3 lines are needed!
if you drop all dns requests the test doesn't work
if you use all 3 lines dns requests are rate limited (because of
iptables -I you have to read that in reverse order)

afair, the idea was that there is a high probability that at some time
the request for the a record is droped but the aaaa request gets through


PS: i also did write a dns-proxy for a more precise test (i think i
linked it somewhere?)

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Reply via email to