[dns-operations] DNS deluge for x.p.ctrc.cc
Mark_Andrews at isc.org
Mon Mar 6 14:05:58 UTC 2006
> Those are not the only two possible choices. There is another although I'm
> not versed in dns enough to know how good a solution it would be.
Please before you go and comment again please go read the
RFCs that relate to the DNS.
> Use TCP
> instead of UDP, this would address the issue of spoofing dns requests and
> remove the attack vector. Allow UDP from local clients but restrict
> anonymous remote clients to TCP as the protocol for querying an open
> recursive dns server. UDP is easy to spoof because it's connectionless, TCP
There is absolutely no way that DNS could be switched to
use TCP in any sensible time line. You are talking about
upgrading every IP capable machine on the planet. None of
them have a switch that causes all applications to use TCP
instead of UDP for DNS.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations