[dns-operations] tcp blocking, was Re: Shameless plug ...
Ed.Lewis at neustar.biz
Wed Jul 5 15:17:49 UTC 2006
At 13:13 -0400 7/1/06, John Payne wrote:
>"Just in case" I'd rather not have an unnecessary DoS vector open
>on my servers if I don't need it.... and taking the experience of a
>company that does a LOT of DNS hits, anyone only doing TCP is in a
>extremely insignificant minority.
I read this and the ensuing thread and am a bit puzzled by this.
In light of recent events, particularly the amplification/reflection
issue that is enabled by UDP, I was leaning towards believing that
inter-enterprise DNS ought to be on TCP only. The "fire and forget"
nature of UDP is the root cause of it being a vector for attacks,
especially if the lower layers do not have sanity filters running.
The lightweight nature of UDP is more of a help to the stub-resolver
interaction than the resolver-authority interaction because of
TCP attacks have been addressed over the years, I would think that
TCP per se, managed properly, does not represent an "unnecessary DoS
For one, TCP is necessary for the protocol described in RFC 1035
(et.al.). That being said, I often wonder if the protocols of the
80's and 90's are still relevant to today's needs. Principles of
networking don't change, but the reality of networking does change.
What I mean is that TCP is necessary for DNS, even if it's an
As a DoS vector, there has been a lot of work to stem problems like
leaving state open, guessing session numbers, etc. UDP seems more
vulnerable to abuse that TCP.
Another factor is the changing way that DNS "ordinarily" works. It's
much more client-server, with resolvers talking to authoritative
servers than other resolvers. That's one reason cache poisoning is
sporadic or localized, if it is ever still a real issue (when post
RFC2181 code is used).
Do operators really fear TCP as an arm of DNS?
Edward Lewis +1-571-434-5468
Soccer/Futbol. IPv6. Both have lots of 1's and 0's and have a hard time
catching on in North America.
That tournament in Germany. What's all the fuss? (Get it? "fuss?")
More information about the dns-operations