[unisog] DNS over TCP should we block

Florian Weimer fw at deneb.enyo.de
Wed Jan 5 16:39:28 GMT 2005

* Leigh Heyman:

> Valdis.Kletnieks at vt.edu wrote:
>> On Wed, 05 Jan 2005 01:43:31 +0100, Florian Weimer said:
>>>  Therefore, it's been proposed to answer requests of unknown
>>>origin with a truncated response, to force the resolver to requery
>>> over TCP.  Now apply SYN cookies.
>> One other issue there is that if you're running a *VERY* high-volume
>> mail server (something more than 500K-1M outbound connections/day),
>> the additional latency introduced by trying UDP, then having to redo
>> via TCP (remember - a min of 8 more packets on top of the 2 UDP packets)
>> can start to impact your throughput.
> By "requests of unknown origin" did Florian mean requests from outside 
> clients to internal resolvers?

No, requests whose source addresses have not been validated yet (or
the information has expired from the cache).  Further requests from
sources which have passed the test should be forwarded immediately.

Of course, the whole thing starts to break down when the attackers
spoof addresses of legitimate servers because DNS over UDP involves
shared secret provided by the server side which is relayed back by the
client.  Maybe such attacks are already happening---look for
fragmented/broken UDP packets from to your name
servers (although you won't see them in Netflow logs, IIRC).

More information about the unisog mailing list