[dns-operations] A dns-proxy for DNS over HTTP(s)

Roland Dobbins rdobbins at arbor.net
Tue Aug 25 11:02:41 UTC 2015

On 25 Aug 2015, at 16:29, Stephane Bortzmeyer wrote:

> But, since it runs over TCP, there are much lower risks than with UDP.

In the rush to encrypt DNS queries, whether over UDP or via HTTP over 
TCP or whatever, it seems that very little  (any at all?) thought has 
been given to the fact that this drastically complicates and raises the 
costs and lowers the scalability ratio for defending the DNS itself 
against DDoS attacks.

I'm not sure what the end-state of this rush to encrypting DNS queries 
is going to be, but my guess is that it's going to have a significant 
negative impact on the ability of many DNS operators - e.g., anyone who 
runs DNS services, whether recursive or authoritative or both, for 
others or just for their own organizations - to maintain availability of 
their DNS services in the face of attack.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list