[dns-operations] Force TCP for external quereis to Open Resolvers?

Xun Fan xunfan at isi.edu
Sun Mar 31 16:47:54 UTC 2013

On Sun, Mar 31, 2013 at 7:18 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:

> On Sun, Mar 31, 2013 at 02:30:50AM -0700,
>  Xun Fan <xunfan at isi.edu> wrote
>  a message of 90 lines which said:
> > Instead of closing the open resolvers, can we just force queries
> > from external networks to use TCP?
> A very good idea, IMHO.


> > Say reply to queires from external networks with a short truncate
> > UDP to signal querier to turn to TCP?
> Even better, allow only TCP from the beginning. This would completely
> suppress the amplification (that you still have with the truncated
> response).

If we could control the size of truncated response (with truncate flag set
to 1), then
this won't be a big problem.

> As far as I know, no existing resolving software implements that so
> the only way to deploy this approach would be with instructing the
> firewall to block incoming UDP/53.

Yes, not a existing implementation, so I want to hear from the community:
1) what are the potential problems about this solution?
2) Is it worth implementing?

> > Rate limiting is coming but many people think it's better for
> > authoritative name servers.
> Also, almost all the ORN are unmanaged machines, which will not deploy
> new mitigations, whether TCP or rate-limiting.
> > And as a internet measurement researcher, I also find the value of
> > open resolvers in some research projects that OR greatly extend our
> > view to the Internet.
> Another solution for this use is the DNS looking glass
> <http://www.bortzmeyer.org/dns-lg.html>.

Yes, thanks! This is a great project that I am going to participate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/25d855d2/attachment.html>

More information about the dns-operations mailing list