[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Mon Mar 6 14:05:58 UTC 2006

> Those are not the only two possible choices. There is another although I'm
> not versed in dns enough to know how good a solution it would be.

	Please before you go and comment again please go read the
	RFCs that relate to the DNS.

> Use TCP
> instead of UDP, this would address the issue of spoofing dns requests and
> remove the attack vector. Allow UDP from local clients but restrict
> anonymous remote clients to TCP as the protocol for querying an open
> recursive dns server. UDP is easy to spoof because it's connectionless, TCP
> isn't.

	There is absolutely no way that DNS could be switched to
	use TCP in any sensible time line.  You are talking about
	upgrading every IP capable machine on the planet.  None of
	them have a switch that causes all applications to use TCP
	instead of UDP for DNS.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list