[dns-operations] Force TCP for external quereis to Open Resolvers?

Paul Hoffman paul.hoffman at vpnc.org
Sun Mar 31 15:10:25 UTC 2013

On Mar 31, 2013, at 7:58 AM, Jim Reid <jim at rfc1035.com> wrote:

> In this case, DDoS attackers would get those truncated responses sent to their victims. OK, they lose the amplification factor but they still get to flood the victim(s) with unsolicited traffic. 

Just to be clear, this is true for any open UDP server of any sort, not just DNS servers.

There are two reasons why attackers use open DNS resolvers for attacks:
a) amplification
b) inability of the target to find the real source

The proposal of "if open, must do TCP" fixes both of these for the DNS protocol, but does not solve (b), and probably not (a), for the Internet.

--Paul Hoffman

More information about the dns-operations mailing list