[dns-operations] Force TCP for external quereis to Open Resolvers?

[Xun Fan]

Instead of closing the open resolvers, can we just force queries from
external networks to use TCP? Say reply to queires from external
networks with a short truncate UDP to signal querier to turn to TCP? This
will help disable reflect amplification while leaving a door open for
legitimate users of open resolvers. (I don't know if this idea has been
discussed before, if so can anyone please give me a link to the discussion?
Thanks!)

I have been looking around on several mailing lists recently and saw many
people vote for shutting down OR. The primary reason, AFAIK, is OR enable
DNS reflect amplification attacks and the problem is getting more serious
recently. No doubt that we have to solve this problem because someone is
hurt and potentially many others.

I saw several key words, BCP38, rate limiting and TCP. While BCP38 is the
best solution, it takes time to be deployed. Rate limiting is coming but
many people think it's better for authoritative name servers. What I want
to discuss here is TCP. Someone says TCP is expensive, but if we could
afford entirely shutting down external queries, then two more RTTs to get a
response seems trivial.

There are some posts, reasonable or not, stating some legitimate cases for
open resolvers. And as a internet measurement researcher, I also find the
value of open resolvers in some research projects that OR greatly extend
our view to the Internet. I would like to find a way to solve the problem
that we are facing now, while preserve the open resolvers for its good side.

So do you think "force TCP for external queries to OR" is a feasible
solution to DNS reflect amplification problem?



Xun Fan
USC/ISI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/0c1bb4fd/attachment.html>