[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Sun Dec 20 18:16:28 UTC 2015


On Sunday, December 20, 2015 03:27:00 PM Ralph Babel wrote:
> Ralf Weber wrote:
> > If we switch DNS to TCP there will be a huge cost
> > in implementing this, as TCP just doesn't scale
> > the way UDP does
> 
> True; so is there a nameserver implementation that
> allows me to respond with a minimal TC=1 packet if ...
> 
>   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> 
> ..., x and y being fully configurable, preferably
> on a per-address-range basis, maybe even dependent
> upon the query type?
> 
> (not so much related to the "Storm on the DNS"
> issue but to DNS amplification attacks)

this won't help all victims of dns amplification attacks, since many of the congestion points 
are measured in PPS not BPS. they need attenuation, not just the absence of amplification. 
attenuation in both PPS and BBS.

that's what DNS RRL is designed to do. i've yet to hear a simpler solution.

http://www.redbarn.org/dns/ratelimits

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151220/bde826f2/attachment.html>


More information about the dns-operations mailing list