[dns-operations] Force TCP for external quereis to Open Resolvers?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Mar 31 14:18:42 UTC 2013


On Sun, Mar 31, 2013 at 02:30:50AM -0700,
 Xun Fan <xunfan at isi.edu> wrote 
 a message of 90 lines which said:

> Instead of closing the open resolvers, can we just force queries
> from external networks to use TCP?

A very good idea, IMHO. 

> Say reply to queires from external networks with a short truncate
> UDP to signal querier to turn to TCP?

Even better, allow only TCP from the beginning. This would completely
suppress the amplification (that you still have with the truncated
response).

As far as I know, no existing resolving software implements that so
the only way to deploy this approach would be with instructing the
firewall to block incoming UDP/53.

> Rate limiting is coming but many people think it's better for
> authoritative name servers.

Also, almost all the ORN are unmanaged machines, which will not deploy
new mitigations, whether TCP or rate-limiting.

> And as a internet measurement researcher, I also find the value of
> open resolvers in some research projects that OR greatly extend our
> view to the Internet.

Another solution for this use is the DNS looking glass 
<http://www.bortzmeyer.org/dns-lg.html>.




More information about the dns-operations mailing list