[dns-operations] Geoff Huston on DNS-over-TCP-only study.

Vernon Schryver vjs at rhyolite.com
Wed Aug 21 13:44:51 UTC 2013


http://www.circleid.com/posts/20130820_a_question_of_dns_protocols
disappointed me with this characterization of RRL:

    There is a conversation thread that says that resolvers should
    implement response rate limiting (RRL), and silently discard
    repetitive queries that exceed some locally configured threshold.

That ignores the "slip" parameter.  That is irritating given the
relevant implications of slip=2 as the default in one RRL implementation
and the popular alternative of slip=1.

I was also disappointing that it failed to mention the crushing
costs of DNS/TCP.

And I was disappointed by its failure to mention DNS cookies as
a potential alternative to mitigating reflection attacks with DNS/TCP.
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03

On othe other hand, I'm not sure that the article was intended to
advocate using DNS/TCP all of the time instead of only during attacks
or even only during attacks.  2% or 17% failure rates are significant.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list