[dns-operations] Force TCP for external quereis to Open Resolvers?

[Jim Reid]

On 31 Mar 2013, at 15:30, Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Jim Reid <jim at rfc1035.com>
> 
>> I'm not sure it will make a difference though. The bad guys won't
>> bother to do TCP for the obvious reason and will stick with their
>> current, DNS protocol conformant, behaviour.
> 
> The bad guys would not be able to stick with anything.  The idea
> is to change all DNS servers to answer all DNS/UDP requests (or
> perhaps all outside requests) with truncated (TC=1) responses to
> force clients to retry with DNS/TCP.

Yes, I realise that.

In this case, DDoS attackers would get those truncated responses sent to their victims. OK, they lose the amplification factor but they still get to flood the victim(s) with unsolicited traffic. If that lost payload matters to the attacker, they can just ramp up the size of their botnet or the number of reflecting name servers to compensate: ie arrange for more but smaller responses. All they'd be doing is adjusting the variables they control to get the desired effect. So from their perspective if an ANY and/or DO query is no longer enough by itself, just throw more hardware at the problem and carry on as before.

>> I expect TCP to an anycast resolver -- say 8.8.8.8? -- will prove
>> tricky for long-lived connections.
> 
> Which long-lived DNS/TCP connections are those?

I was thinking of the use case where an application's resolver opens a TCP connection and assumes it stays open until the application goes away: eg the resolver in a web browser opening a connection to 8.8.8.8 and shoving all its DNS lookups down that until the web session ends some hours later.