[dns-operations] Geoff Huston on DNS-over-TCP-only study.

[Geoff Huston]

On 22/08/2013, at 12:36 AM, Jon Lewis <jlewis at lewis.org> wrote:

> On Wed, 21 Aug 2013, Dobbins, Roland wrote:
> 
>> 
>> <http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/>
> 
> I didn't even get far enough to get to the parts Vixie seems to object to. It was too painful to read.  It's in desperate need of proof-reading and copy editing.  Was this translated (poorly) from some other language to English?
> 

My apologies - english is spoken and written in so many styles and I know that my written style can be considered as turgid, particularly when I was not intending to write for a highly expert specialist technical audience such as are on this mailing list.

So here is what I would say to this audience:

- How many resolvers and their clients will resolve a DNS name to an address if they are forced to use TCP?

- Our experiment used a modified DNS server that truncated all UDP at 512 bytes, and over 10 days we enlisted some 2 million end clients to perform a set of tests by using online ads. The ad used a very wide geographic and network variety, so there is good grounds to see this set as a reasonable representative sample of the internet's end user population.

- The authoritative nameserver saw 80,000 visible resolvers. 17% of them (13,400) did not switch to TCP and re-query upon receipt of truncated TCP. 0.4% of them appear to have some inbound TCP-blocking firewall/filter. The rest simply did not respond in TCP

- These 13,400 resolvers were used by 6% of the end clients.

- 2/3 of these affected end clients switched to use an alternative resolver that was able to pose the query using UDP.

- the rest (2%, or 50,000 end clients) were unable to complete the DNS query at all.

- we retested, using a slightly different DNS nameserver configuration with a smaller UDP truncation threshld, over a further 700,000 end clients and saw a similar outcome.

regards,

 Geoff