[unisog] DNS over TCP should we block

Leigh Heyman leigh at csail.mit.edu
Wed Jan 5 14:32:05 GMT 2005


Valdis.Kletnieks at vt.edu wrote:

> On Wed, 05 Jan 2005 01:43:31 +0100, Florian Weimer said:
> 
>>  Therefore, it's been proposed to answer requests of unknown
>>origin with a truncated response, to force the resolver to requery
>>over TCP.  Now apply SYN cookies. 
> 
> 
> One other issue there is that if you're running a *VERY* high-volume
> mail server (something more than 500K-1M outbound connections/day),
> the additional latency introduced by trying UDP, then having to redo
> via TCP (remember - a min of 8 more packets on top of the 2 UDP packets)
> can start to impact your throughput. 

By "requests of unknown origin" did Florian mean requests from outside 
clients to internal resolvers?  In that case, queries from your own 
mailservers and webservers wouldn't qualify as "unknown" and therefore 
should still happily use UDP yes?

-L




More information about the unisog mailing list