[dns-operations] A dns-proxy for DNS over HTTP(s)
rdobbins at arbor.net
Tue Aug 25 11:02:41 UTC 2015
On 25 Aug 2015, at 16:29, Stephane Bortzmeyer wrote:
> But, since it runs over TCP, there are much lower risks than with UDP.
In the rush to encrypt DNS queries, whether over UDP or via HTTP over
TCP or whatever, it seems that very little (any at all?) thought has
been given to the fact that this drastically complicates and raises the
costs and lowers the scalability ratio for defending the DNS itself
against DDoS attacks.
I'm not sure what the end-state of this rush to encrypting DNS queries
is going to be, but my guess is that it's going to have a significant
negative impact on the ability of many DNS operators - e.g., anyone who
runs DNS services, whether recursive or authoritative or both, for
others or just for their own organizations - to maintain availability of
their DNS services in the face of attack.
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations