[dns-operations] DNSCrypt.

Dobbins, Roland rdobbins at arbor.net
Fri May 31 15:14:13 UTC 2013


On May 31, 2013, at 10:02 PM, Ken A wrote:

> What is keeping nameserver vendors from building this into servers?

Potentially severe scaling issues, plus it makes it a lot harder to detect/classify/mitigate DNS-based DDoS attacks if the traffic is encrypted.  Fairly widespread misguided TCP/53 filtering, as well, if the DNSCrypt traffic is destined for TCP/53.

AFAIK, there's never been any real testing in the modern era of forcing all DNS queries via TCP (and not even back in Ye Olden Days; folks just assumed it wasn't scalable without any empirical evidence, AFAIK).  If it scales on modern hardware (as I personally think it might), DNS-over-TCP would solve a great deal of the problem-set DNSSEC is supposed to solve with far fewer moving parts, and all the way down to the stub resolver.  

And incidentally negating DNS reflection/amplification attacks as a beneficial side-effect.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the dns-operations mailing list