[dns-operations] Force TCP for external quereis to Open Resolvers?

Xun Fan xunfan at isi.edu
Sun Mar 31 20:26:03 UTC 2013


For me, the use case is "research". Of course I won't ask for ubiquitous
dns service only for my research.
I just notice there are people who are reluctant to close resolvers and
this will leave more guns for attackers, so I think maybe there are middle
points that some of them could stand, having less harmful open resolvers.

If there are no use cases other than research, I agree to close them all.

I also agree that openness should not be the default setting.




On Sun, Mar 31, 2013 at 11:58 AM, Paul Vixie <paul at redbarn.org> wrote:

>
>
> Xun Fan wrote:
> > I want to emphasize here that my proposal is to use TCP only for
> > off-net users, for all users inside the same network as OR, they just
> > keep using UDP.
>
> i've been following this thread. i have not yet seen a motive for
> offering ubiquitous wide area dns services, whether by udp or tcp. can
> you explain what positive outcome you predict for the 20+ million open
> resolvers that jared's scan found last weekend, if instead of simply
> closing them down and avoiding the creation of any new ones, we do as
> you suggest and upgrade them to return TC=1 under UDP and to respond
> normally to TCP?
>
> what in other words is your proposed use case for 20+ million open
> resolvers? if it's "to support research" then i'll agree with vernon who
> said that the benefit of research does not outshine the cost of
> maintaining such a ubiquitous service. (for example, since a TC=1 packet
> is still a packet even though smaller, it's a good reflection tool for
> attacks, even if non-amplifying. to make it safe at scale you'd have to
> implement something like RRL to also cut the number of responses. this
> is new state and new logic, whose cost has to be taken into account.)
>
> >
> > As I said before, if there are millions off-net user, then the
> > administrator of the OR will make the judgement, probably won't close
> > their OR.
>
> this sounds like a response to something that has not been proposed.
> noone is saying you can't run an OR if you want to, only that (a) if you
> run it you should monitor it as closely as google and opendns monitor
> theirs; and (b) openness should not be the default setting such that
> it's on even for users who do not explicitly want it to be on.
>
> paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/49134782/attachment.html>


More information about the dns-operations mailing list