[dns-operations] Force TCP for external quereis to Open Resolvers?

Vernon Schryver vjs at rhyolite.com
Sun Mar 31 19:42:37 UTC 2013


> From: Xun Fan <xunfan at isi.edu>

> What we discuss here is for those administrators who are willing to do
> something to their OR. Look at what options they have
> now:
> 1) keep open => DNS amp attackers are happy
> 2) close => no one can query from outside

The idea that those are the only alternatives is as mistaken as the
idea that DNS/UDP packets forcing TCP would contain 512 bytes.

You could invalidate the idea that those are the only current alternatives
by noticing that Google's 8.8.8.8 is open, famous for a long time, and
not abused.  I've recently seen more than one reference to
https://developers.google.com/speed/public-dns/docs/security#rate_limit

You could invalidate the idea about 512 byte truncated packets by
looking at the last line of `dig` output or using wireshark, tcpdump,
etc., by simply understanding the DNS protocol, or by reading many of
the places where forcing TCP with TC=1 has been proposed.  To get an
example of a truncated response, provoke one from a server that uses
RRL and a non-zero SLIP value with `repeat 50 dig ...`.


Please read http://www.redbarn.org/dns/ratelimits and the pages
linked from there for another supposed panacea for intentionally
open resolvers that is not as obviously broken as TC=1 forcing TCP.
When you understand why RRL is not a general solution for open
resolvers (not to mention noticing that RRL includes using TC=1),
perhaps you will also see why TC=1 is not a solution for intentionally
open resolvers.
(That some people have reported good enough results with RRL on
their open resolvers does not redeem it for general use on open
resolvers.)


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list