[dns-operations] Force TCP for external queries to Open Resolvers?

Vernon Schryver vjs at rhyolite.com
Sun Mar 31 18:09:01 UTC 2013

> From: Paul Wouters <paul at nohats.ca>

> Not all open resolvers are run by brainless admins..... And I believe
> open resolvers are crucial to the open nature of the internet.

There is a much better case for open SMTP relays, but we all know
how that turned out.

More power to you if you can follow the lead of Google, OpenDNS, and
others in running open resolvers that do not abuse the rest of the
Internet.  However, in real life the history of SMTP relays is being
repeated.  Not only are almost all open resolvers orphans that would
be closed if their owners knew about them, but most intentionally open
resolvers are run by brainless admins with silly delusions of being
competent enough to prevent abuse.
If you (anyone) are running an open resolver and not deluded, then
great!--but just as with SMTP relays, if you are running an open
resolver or relay, you're probably fooling yourself.


] From: Joe Abley <jabley at hopcount.ca>

] There seems to be an implicit assumption in this thread that when
] we say DNS over TCP, we mean setting up a TCP session and tearing it
] down again once per query.

In practice on the real Internet, that is what will continue to be
so for the forseeable future.  If we could change those 21 million
open resolvers to cache TCP sessions, then we'd also close them and
so not need to pay any of the costs of TCP.

] If instead we imagine persistent pools of TCP connections open between
] stubs and resolvers which are rarely set up or torn down, how is the
] overhead in bandwidth, latency and CPU cycles substantially different
] from UDP?

For the duration of the TCP connection, you use only 3 packets per
request (request, response, and ack unless the ack is piggybacked
on the next request) and so only 50% more bandwidth than UDP.

However, even if you don't think 50% more bandwidth and packets matter,
there are cheaper ways to save enough state to recognize repeat
clients.  Neither the client nor the server need a 100 or 200 byte
TCB for DNS cookies.
With DNS cookies, servers don't need to save any state at all.  That
sounds better than expecting the roots to maintain millions of open
TCP connections.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list