[dns-operations] Force TCP for external quereis to Open Resolvers?

Vernon Schryver vjs at rhyolite.com
Sun Mar 31 13:39:06 UTC 2013

> From: Xun Fan <xunfan at isi.edu>

> to discuss here is TCP. Someone says TCP is expensive, but if we could
> afford entirely shutting down external queries, then two more RTTs to get a
> response seems trivial.

      client                    server
1.  DNS request/UDP     -->
2.                      <--     DNS response/UDP

 A normal DNS transaction would end here.  Forcing TCP requires the following:

3.      TCP SYN         -->
4.                      <--     TCP SYN-ACK
5.      TCP SYN-ACK     -->
6.   DNS request/TCP    -->
7.                      <--     DNS response/TCP
8.      TCP FIN         -->
9.                      <--     TCP ACK
10.                     <--     TCP FIN
11.     TCP ACK         -->

(That's what I see with `tcpdump -n -i ZZ0 port 53 and host XXX`
during `dig +vc YYYY.com @XXX`   Try it yourself.)

That increase from 2 to 11 packets and from 1 to 5 round trips is not
the only cost.  There is also dealing with the pile of transmission
control blocks (TCBs) for the duration of the time-wait delay, and on
a busy server those costs can be worse.

>               . And as a internet measurement researcher, I also find the
> value of open resolvers in some research projects that OR greatly extend
> our view to the Internet. I would like to find a way to solve the problem
> that we are facing now, while preserve the open resolvers for its good side.

Open resolvers are not certainly not justified by the needs
of researchers.

> So do you think "force TCP for external queries to OR" is a feasible
> solution to DNS reflect amplification problem?

There are several reasons why it is not feasible.  The owners of almost
all of the many millions of open resolvers would be happier if they
were closed.  Almost all open resolvers are unintentionally open and
use of them by outsiders is an objectionable waste bandwidth, CPU
cycles, and other resources.  It would be easier for their owners to
close them than to change them to force DNS/TCP, because in many cases
closing consists of correcting configuration errors or adjusting
firewalls to drop incoming packets addressed to UDP/53 while forcing
TCP requires changing software (or CPE firmware).

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list