[dns-operations] A dns-proxy for DNS over HTTP(s)

Mark Andrews marka at isc.org
Tue Aug 25 23:55:15 UTC 2015 

In message <tencent_104DAA745927A4637B59CA00 at qq.com>, "=?gb18030?B?y87B1r2h?=" writes:
> Sorry, but IMHO the connectionless feature of DNS is becoming the major 
> security vector to launch severe DDOS attack. 

You can do "connections" over UDP, EDNS COOKIE, without all the
state overhead of TCP.  There is documentation, running code and
code points assigned to do this.  BIND 9.10.2 uses those code points
(configure --enable-sit which is on in the Windows BUILDs, for
9.10.[01] it used a private code point).  With BIND 9.11 the configure
switch is gone.

The documentation is in last call.
EDNS COOKIE has code point 10.
BADCOOKIE has code point 23.

> btw: what's the concrete scalability concern do you mean? I do not find 
> any DNS requirements can not be fullfilled by web technology. Well, if 
> you say you do not have such budget to upgrade the system, it's another 
> story.
> 
> Davey
> 
> ---Original---
> From: "Roland Dobbins"<rdobbins at arbor.net>
> Date: 2015/08/25 20:00:23
> To: "dns-operations"<dns-operations at dns-oarc.net>;
> Subject: Re: dns-operations A dns-proxy for DNS over HTTP(s)
> 
> 
> 
> On 25 Aug 2015, at 18:36, Stephane Bortzmeyer wrote:
> 
> > Many high-profile sites host HTTP (and, now, HTTPS) services and have 
> > the experience and the tools to fight dDoS attacks.
> 
> Actually, many high-profile organizations do this very poorly - 
> surprisingly so.
> 
> And it's not just the high-profile organizations I'm worried about.
> 
> > To the contrary, there are more software and human resources to deal 
> > with TCP services than with UDP ones.
> 
> Encryption complicates matters greatly, and DNS traffic/query patterns 
> are quite different from Web.
> 
> Even without DDoS attacks, scalability is a concern.  Add DDoS attacks, 
> and things get a whole lot more complicated and much less scalable.
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list