[dns-operations] DNS greylisting?
Joe Abley
jabley at hopcount.ca
Mon Mar 6 14:59:08 UTC 2006
On 6-Mar-2006, at 09:05, Mark Andrews wrote:
> There is absolutely no way that DNS could be switched to use TCP in
> any sensible time line. You are talking about upgrading every IP
> capable machine on the planet. None of them have a switch that
> causes all applications to use TCP instead of UDP for DNS.
Would it violate the protocol too heinously if a nameserver returned
TC for all UDP queries from particular sources -- e.g. allow UDP
queries to function normally only if the sources were trusted, and
attempt to force all others to use TCP instead?
If the truncated UDP response was small, that could limit the
amplification potential.
Clients which resubmitted their query using TCP might be whitelisted,
such that future UDP queries from those hosts within a window might
be allowed with no forced truncation (e.g. using a fixed-size, LRU
cache). The rationale this whitelisting would be that the client had
demonstrated behaviour consistent with a non-spoofed source address.
This sounds a little like greylisting, but for DNS.
I realise this depends on client stacks understanding TC and being
capable of resubmitting a request using TCP, which is far from a
foregone conclusion for embedded devices; perhaps it's a reasonable
assumption for recursive resolvers, however.
Joe
More information about the dns-operations
mailing list