[dns-operations] tcp blocking, was Re: Shameless plug ...

Edward Lewis Ed.Lewis at neustar.biz
Wed Jul 5 15:17:49 UTC 2006 

At 13:13 -0400 7/1/06, John Payne wrote:

>"Just in case"   I'd rather not have an unnecessary DoS vector open
>on my servers if I don't need it.... and taking the experience of a
>company that does a LOT of DNS hits, anyone only doing TCP is in a
>extremely insignificant minority.

I read this and the ensuing thread and am a bit puzzled by this.

In light of recent events, particularly the amplification/reflection 
issue that is enabled by UDP, I was leaning towards believing that 
inter-enterprise DNS ought to be on TCP only.  The "fire and forget" 
nature of UDP is the root cause of it being a vector for attacks, 
especially if the lower layers do not have sanity filters running. 
The lightweight nature of UDP is more of a help to the stub-resolver 
interaction than the resolver-authority interaction because of 
caching.

TCP attacks have been addressed over the years, I would think that 
TCP per se, managed properly, does not represent an "unnecessary DoS 
vector."

For one, TCP is necessary for the protocol described in RFC 1035 
(et.al.).  That being said, I often wonder if the protocols of the 
80's and 90's are still relevant to today's needs.  Principles of 
networking don't change, but the reality of networking does change. 
What I mean is that TCP is necessary for DNS, even if it's an 
anachronism.

As a DoS vector, there has been a lot of work to stem problems like 
leaving state open, guessing session numbers, etc.  UDP seems more 
vulnerable to abuse that TCP.

Another factor is the changing way that DNS "ordinarily" works.  It's 
much more client-server, with resolvers talking to authoritative 
servers than other resolvers.  That's one reason cache poisoning is 
sporadic or localized, if it is ever still a real issue (when post 
RFC2181 code is used).

Do operators really fear TCP as an arm of DNS?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Soccer/Futbol. IPv6.  Both have lots of 1's and 0's and have a hard time
catching on in North America.

That tournament in Germany.  What's all the fuss?  (Get it? "fuss?")

More information about the dns-operations mailing list