[dns-operations] DNS greylisting?

Joe Abley jabley at hopcount.ca
Mon Mar 6 14:59:08 UTC 2006


On 6-Mar-2006, at 09:05, Mark Andrews wrote:

> There is absolutely no way that DNS could be switched to use TCP in  
> any sensible time line.  You are talking about upgrading every IP  
> capable machine on the planet.  None of them have a switch that  
> causes all applications to use TCP instead of UDP for DNS.

Would it violate the protocol too heinously if a nameserver returned  
TC for all UDP queries from particular sources -- e.g. allow UDP  
queries to function normally only if the sources were trusted, and  
attempt to force all others to use TCP instead?

If the truncated UDP response was small, that could limit the  
amplification potential.

Clients which resubmitted their query using TCP might be whitelisted,  
such that future UDP queries from those hosts within a window might  
be allowed with no forced truncation (e.g. using a fixed-size, LRU  
cache). The rationale this whitelisting would be that the client had  
demonstrated behaviour consistent with a non-spoofed source address.

This sounds a little like greylisting, but for DNS.

I realise this depends on client stacks understanding TC and being  
capable of resubmitting a request using TCP, which is far from a  
foregone conclusion for embedded devices; perhaps it's a reasonable  
assumption for recursive resolvers, however.


Joe




More information about the dns-operations mailing list