dns-operations Digest, Vol 206, Issue 7
Adam Casella
acasella at infoblox.com
Wed Mar 29 21:03:28 UTC 2023
Just following up on this. This issue was narrowed down to a need to increase the entropy threshold on Chrome’s DNS source port logic on Windows 10 and 11 to prevent the built-in DNS client from falling back to TCP. This impacts all Chromium based browsers and the fix can be found here:
Chrome Bug tracking this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=1413620
Fix (a one-liner) can be found here:
https://chromium.googlesource.com/chromium/src/+/59d686c1417b5aea7b1d94a28bac45d8d8f26fe0
This looks like the fix will be added in Chrome 112 or 113.
Thanks,
Adam Casella | Solutions Architect
Infoblox | infoblox.com
914.953.8571
From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of dns-operations-request at dns-oarc.net <dns-operations-request at dns-oarc.net>
Date: Friday, March 17, 2023 at 5:02 AM
To: dns-operations at lists.dns-oarc.net <dns-operations at lists.dns-oarc.net>
Subject: dns-operations Digest, Vol 206, Issue 7
!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside your organization.
|-------------------------------------------------------------------!
Send dns-operations mailing list submissions to
dns-operations at lists.dns-oarc.net
To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$>
or, via email, send a message with subject or body 'help' to
dns-operations-request at lists.dns-oarc.net
You can reach the person managing the list at
dns-operations-owner at lists.dns-oarc.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dns-operations digest..."
Today's Topics:
1. Re: Increase in DNS over TCP from Chrome Browser on Windows
11 (David Zych)
----------------------------------------------------------------------
Message: 1
Date: Thu, 16 Mar 2023 11:57:00 -0500
From: David Zych <dmrz at illinois.edu>
To: "dns-operations at lists.dns-oarc.net"
<dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] Increase in DNS over TCP from Chrome
Browser on Windows 11
Message-ID: <13b9d8bc-55d3-a069-d907-299b8dad9d53 at illinois.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 3/15/23 11:29, Adam Casella wrote:
> It seems that Chrome is leveraging 1 TCP session per DNS query to prevent tracking of the DNS traffic, which unfortunately does not take advantage of TCP pipelining/multiplexing or out-of-order TCP DNS responses over a single TCP stream.
Hi Adam, thanks for sharing this!
We definitely noticed a dramatic increase in TCP DNS requests circa Mon 2022-11-07, for which I'm grateful to finally have a plausible explanation.
The use of 1 TCP session per query is especially significant because our recursive resolvers have iptables rules designed to prevent them from being monopolized by a single misbehaving client, which includes limiting the number of parallel inbound 53/tcp connections per client IP. The sudden increase in throttling by that particular iptables rule was quite a surprise.
Thanks,
David
--
David Zych (he/him)
Lead Network Service Engineer
University of Illinois Urbana-Champaign
Office of the Chief Information Officer
Technology Services
Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.
------------------------------
Subject: Digest Footer
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$>
------------------------------
End of dns-operations Digest, Vol 206, Issue 7
**********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230329/ce2ade5c/attachment.html>
More information about the dns-operations
mailing list