dns-operations Digest, Vol 206, Issue 7

Adam Casella acasella at infoblox.com
Wed Mar 29 21:03:28 UTC 2023 

Just following up on this.  This issue was narrowed down to a need to increase the entropy threshold on Chrome’s DNS source port logic on Windows 10 and 11 to prevent the built-in DNS client from falling back to TCP.  This impacts all Chromium based browsers and the fix can be found here:

Chrome Bug tracking this issue:

https://bugs.chromium.org/p/chromium/issues/detail?id=1413620

Fix (a one-liner) can be found here:

https://chromium.googlesource.com/chromium/src/+/59d686c1417b5aea7b1d94a28bac45d8d8f26fe0

This looks like the fix will be added in Chrome 112 or 113.

Thanks,

Adam Casella | Solutions Architect
Infoblox | infoblox.com
914.953.8571

From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of dns-operations-request at dns-oarc.net <dns-operations-request at dns-oarc.net>
Date: Friday, March 17, 2023 at 5:02 AM
To: dns-operations at lists.dns-oarc.net <dns-operations at lists.dns-oarc.net>
Subject: dns-operations Digest, Vol 206, Issue 7
!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside your organization.
|-------------------------------------------------------------------!

Send dns-operations mailing list submissions to
        dns-operations at lists.dns-oarc.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$>
or, via email, send a message with subject or body 'help' to
        dns-operations-request at lists.dns-oarc.net

You can reach the person managing the list at
        dns-operations-owner at lists.dns-oarc.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dns-operations digest..."


Today's Topics:

   1. Re: Increase in DNS over TCP from Chrome Browser on Windows
      11 (David Zych)


----------------------------------------------------------------------

Message: 1
Date: Thu, 16 Mar 2023 11:57:00 -0500
From: David Zych <dmrz at illinois.edu>
To: "dns-operations at lists.dns-oarc.net"
        <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] Increase in DNS over TCP from Chrome
        Browser on Windows 11
Message-ID: <13b9d8bc-55d3-a069-d907-299b8dad9d53 at illinois.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 3/15/23 11:29, Adam Casella wrote:
> It seems that Chrome is leveraging 1 TCP session per DNS query to prevent tracking of the DNS traffic, which unfortunately does not take advantage of TCP pipelining/multiplexing or out-of-order TCP DNS responses over a single TCP stream.

Hi Adam, thanks for sharing this!

We definitely noticed a dramatic increase in TCP DNS requests circa Mon 2022-11-07, for which I'm grateful to finally have a plausible explanation.

The use of 1 TCP session per query is especially significant because our recursive resolvers have iptables rules designed to prevent them from being monopolized by a single misbehaving client, which includes limiting the number of parallel inbound 53/tcp connections per client IP.  The sudden increase in throttling by that particular iptables rule was quite a surprise.

Thanks,
David

--
David Zych (he/him)
Lead Network Service Engineer

University of Illinois Urbana-Champaign
Office of the Chief Information Officer
Technology Services

Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.


------------------------------

Subject: Digest Footer

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$>


------------------------------

End of dns-operations Digest, Vol 206, Issue 7
**********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230329/ce2ade5c/attachment.html>

More information about the dns-operations mailing list