[dns-operations] A dns-proxy for DNS over HTTP(s)

宋林健 ljsong at biigroup.cn
Tue Aug 25 14:43:48 UTC 2015

Sorry, but IMHO the connectionless feature of DNS is becoming the major security vector to launch severe DDOS attack. 

btw: what's the concrete scalability concern do you mean? I do not find any DNS requirements can not be fullfilled by web technology. Well, if you say you do not have such budget to upgrade the system, it's another story.


From: "Roland Dobbins"<rdobbins at arbor.net>
Date: 2015/08/25 20:00:23
To: "dns-operations"<dns-operations at dns-oarc.net>;
Subject: Re: [dns-operations] A dns-proxy for DNS over HTTP(s)

On 25 Aug 2015, at 18:36, Stephane Bortzmeyer wrote:

> Many high-profile sites host HTTP (and, now, HTTPS) services and have 
> the experience and the tools to fight dDoS attacks.

Actually, many high-profile organizations do this very poorly - 
surprisingly so.

And it's not just the high-profile organizations I'm worried about.

> To the contrary, there are more software and human resources to deal 
> with TCP services than with UDP ones.

Encryption complicates matters greatly, and DNS traffic/query patterns 
are quite different from Web.

Even without DDoS attacks, scalability is a concern.  Add DDoS attacks, 
and things get a whole lot more complicated and much less scalable.

Roland Dobbins <rdobbins at arbor.net>
dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-jobs mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150825/0064ee95/attachment.html>

More information about the dns-operations mailing list