<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:16.0pt">Just following up on this. This issue was narrowed down to a need to increase the entropy threshold on Chrome’s DNS source port logic on Windows 10 and 11 to prevent the built-in DNS client from falling back
to TCP. This impacts all Chromium based browsers and the fix can be found here:<br>
<br>
Chrome Bug tracking this issue:<br>
<br>
<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1413620">https://bugs.chromium.org/p/chromium/issues/detail?id=1413620</a><br>
<br>
Fix (a one-liner) can be found here:<br>
<br>
<a href="https://chromium.googlesource.com/chromium/src/+/59d686c1417b5aea7b1d94a28bac45d8d8f26fe0">https://chromium.googlesource.com/chromium/src/+/59d686c1417b5aea7b1d94a28bac45d8d8f26fe0</a><br>
<br>
This looks like the fix will be added in Chrome 112 or 113. <br>
<br>
Thanks, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:16.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Adam Casella | Solutions Architect<br>
Infoblox | infoblox.com<br>
914.953.8571</span><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:16.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
<b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">dns-operations <dns-operations-bounces@dns-oarc.net> on behalf of dns-operations-request@dns-oarc.net <dns-operations-request@dns-oarc.net><br>
<b>Date: </b>Friday, March 17, 2023 at 5:02 AM<br>
<b>To: </b>dns-operations@lists.dns-oarc.net <dns-operations@lists.dns-oarc.net><br>
<b>Subject: </b>dns-operations Digest, Vol 206, Issue 7<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">!-------------------------------------------------------------------|<br>
This Message Is From an External Sender<br>
This message came from outside your organization.<br>
|-------------------------------------------------------------------!<br>
<br>
Send dns-operations mailing list submissions to<br>
dns-operations@lists.dns-oarc.net<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$">
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$</a>
<br>
or, via email, send a message with subject or body 'help' to<br>
dns-operations-request@lists.dns-oarc.net<br>
<br>
You can reach the person managing the list at<br>
dns-operations-owner@lists.dns-oarc.net<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of dns-operations digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Increase in DNS over TCP from Chrome Browser on Windows<br>
11 (David Zych)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 16 Mar 2023 11:57:00 -0500<br>
From: David Zych <dmrz@illinois.edu><br>
To: "dns-operations@lists.dns-oarc.net"<br>
<dns-operations@lists.dns-oarc.net><br>
Subject: Re: [dns-operations] Increase in DNS over TCP from Chrome<br>
Browser on Windows 11<br>
Message-ID: <13b9d8bc-55d3-a069-d907-299b8dad9d53@illinois.edu><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
On 3/15/23 11:29, Adam Casella wrote:<br>
> It seems that Chrome is leveraging 1 TCP session per DNS query to prevent tracking of the DNS traffic, which unfortunately does not take advantage of TCP pipelining/multiplexing or out-of-order TCP DNS responses over a single TCP stream.<br>
<br>
Hi Adam, thanks for sharing this!<br>
<br>
We definitely noticed a dramatic increase in TCP DNS requests circa Mon 2022-11-07, for which I'm grateful to finally have a plausible explanation.<br>
<br>
The use of 1 TCP session per query is especially significant because our recursive resolvers have iptables rules designed to prevent them from being monopolized by a single misbehaving client, which includes limiting the number of parallel inbound 53/tcp connections
per client IP. The sudden increase in throttling by that particular iptables rule was quite a surprise.<br>
<br>
Thanks,<br>
David<br>
<br>
-- <br>
David Zych (he/him)<br>
Lead Network Service Engineer<br>
<br>
University of Illinois Urbana-Champaign<br>
Office of the Chief Information Officer<br>
Technology Services<br>
<br>
Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
dns-operations@lists.dns-oarc.net<br>
<a href="https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$">https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!MXjAgDJCvjIDRRgSxERnvnrOZkSR8mexf1W9k2XJL9AybkCjxwS5E4vmtriURf279WZOqjRPlenLYsSZ8ng5N-iboYKq88s$</a>
<br>
<br>
<br>
------------------------------<br>
<br>
End of dns-operations Digest, Vol 206, Issue 7<br>
**********************************************<o:p></o:p></p>
</div>
</div>
</body>
</html>