[dns-operations] DNSCrypt.
Dobbins, Roland
rdobbins at arbor.net
Fri May 31 15:14:13 UTC 2013
On May 31, 2013, at 10:02 PM, Ken A wrote:
> What is keeping nameserver vendors from building this into servers?
Potentially severe scaling issues, plus it makes it a lot harder to detect/classify/mitigate DNS-based DDoS attacks if the traffic is encrypted. Fairly widespread misguided TCP/53 filtering, as well, if the DNSCrypt traffic is destined for TCP/53.
AFAIK, there's never been any real testing in the modern era of forcing all DNS queries via TCP (and not even back in Ye Olden Days; folks just assumed it wasn't scalable without any empirical evidence, AFAIK). If it scales on modern hardware (as I personally think it might), DNS-over-TCP would solve a great deal of the problem-set DNSSEC is supposed to solve with far fewer moving parts, and all the way down to the stub resolver.
And incidentally negating DNS reflection/amplification attacks as a beneficial side-effect.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the dns-operations
mailing list