[dns-operations] Force TCP for external quereis to Open Resolvers?
paul.hoffman at vpnc.org
Sun Mar 31 15:10:25 UTC 2013
On Mar 31, 2013, at 7:58 AM, Jim Reid <jim at rfc1035.com> wrote:
> In this case, DDoS attackers would get those truncated responses sent to their victims. OK, they lose the amplification factor but they still get to flood the victim(s) with unsolicited traffic.
Just to be clear, this is true for any open UDP server of any sort, not just DNS servers.
There are two reasons why attackers use open DNS resolvers for attacks:
b) inability of the target to find the real source
The proposal of "if open, must do TCP" fixes both of these for the DNS protocol, but does not solve (b), and probably not (a), for the Internet.
More information about the dns-operations