<div dir="ltr"><div>Instead of closing the open resolvers, can we just force queries from external networks to use TCP? Say reply to queires from external networks with a short truncate UDP to signal querier to turn to TCP? This will help disable reflect amplification while leaving a door open for legitimate users of open resolvers. (I don't know if this idea has been discussed before, if so can anyone please give me a link to the discussion? Thanks!)</div>
<div><br></div><div>I have been looking around on several mailing lists recently and saw many people vote for shutting down OR. The primary reason, AFAIK, is OR enable DNS reflect amplification attacks and the problem is getting more serious recently. No doubt that we have to solve this problem because someone is hurt and potentially many others.</div>
<div><br></div><div>I saw several key words, BCP38, rate limiting and TCP. While BCP38 is the best solution, it takes time to be deployed. Rate limiting is coming but many people think it's better for authoritative name servers. What I want to discuss here is TCP. Someone says TCP is expensive, but if we could afford entirely shutting down external queries, then two more RTTs to get a response seems trivial. </div>
<div><br></div><div>There are some posts, reasonable or not, stating some legitimate cases for open resolvers. And as a internet measurement researcher, I also find the value of open resolvers in some research projects that OR greatly extend our view to the Internet. I would like to find a way to solve the problem that we are facing now, while preserve the open resolvers for its good side.</div>
<div><br></div><div>So do you think "force TCP for external queries to OR" is a feasible solution to DNS reflect amplification problem?</div><div><br></div><div><br></div><div><br></div><div>Xun Fan</div><div>USC/ISI</div>
</div>