[dns-operations] Force TCP for external quereis to Open Resolvers?
Xun Fan
xunfan at isi.edu
Sun Mar 31 16:47:54 UTC 2013
On Sun, Mar 31, 2013 at 7:18 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:
> On Sun, Mar 31, 2013 at 02:30:50AM -0700,
> Xun Fan <xunfan at isi.edu> wrote
> a message of 90 lines which said:
>
> > Instead of closing the open resolvers, can we just force queries
> > from external networks to use TCP?
>
> A very good idea, IMHO.
>
Thanks!
>
> > Say reply to queires from external networks with a short truncate
> > UDP to signal querier to turn to TCP?
>
> Even better, allow only TCP from the beginning. This would completely
> suppress the amplification (that you still have with the truncated
> response).
>
If we could control the size of truncated response (with truncate flag set
to 1), then
this won't be a big problem.
>
> As far as I know, no existing resolving software implements that so
> the only way to deploy this approach would be with instructing the
> firewall to block incoming UDP/53.
>
Yes, not a existing implementation, so I want to hear from the community:
1) what are the potential problems about this solution?
2) Is it worth implementing?
>
> > Rate limiting is coming but many people think it's better for
> > authoritative name servers.
>
> Also, almost all the ORN are unmanaged machines, which will not deploy
> new mitigations, whether TCP or rate-limiting.
>
> > And as a internet measurement researcher, I also find the value of
> > open resolvers in some research projects that OR greatly extend our
> > view to the Internet.
>
> Another solution for this use is the DNS looking glass
> <http://www.bortzmeyer.org/dns-lg.html>.
>
Yes, thanks! This is a great project that I am going to participate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/25d855d2/attachment.html>
More information about the dns-operations
mailing list