[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Mark Jeftovic markjr at easydns.com
Sun Oct 18 18:22:31 UTC 2015



On 2015-10-18 12:39 PM, Paul Vixie wrote:
> On Sunday, October 18, 2015 17:33:41 Stephane Bortzmeyer wrote:
>> I had issues with the domain kura.io, since the name servers
>> always reply with TC=0 (on IPv4; their IPv6 behaviour is more 
>> common). ...
> 
> i think you mean TC=1.
> 
> this supposed anti-ddos behaviour is, i heard from somewhere,
> patented. at least, there's a variant where the first UDP query get
> TC=1 and only after the client demonstrates that they heard your
> TC=1 and properly followed up with a TCP transaction, is UDP
> answered normally. that variant is, i think, patented.
> 

I was also going to clarify that he probably means TC=1

Yes this is a common DDoS mitigation technique and it works pretty
well for some situations. I'm not surprised to hear somebody patented
this, I could almost hazard a guess who (but I won't)

I would not do it all the time however, because we've seen cases where
some devices / resolvers fail badly on the TCP retry (like they don't
do it, won't do it), such as some mobile devices on some wireless
networks.

It's ok to do this in a hair-on-fire situation IMHO (but I'm of the
opinion it's ok to do almost anything in a hair-on-fire situation,
such as dropping ANY's on the floor, whatever it takes)

- mark


-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Vote For Mark in Canada's Federal Election: http://markjeftovic.ca
+1-416-535-8672 ext 225



More information about the dns-operations mailing list