Dag Mark, On 07/02/2018 16:14, Mark Schouten wrote:
Hi,
I've had this idea, read about it and let me know what you think. https://www.tuxis.nl/blog/what-if-dns-over-tcp-20180207/
Thank you for writing down your ideas. I have some questions and a couple of comments for you to consider. Question 1: Was the recent DDOS armed by open resolvers allowing for a DNS amplification attack? I didn't heard about the specifics other than a botnet, hired for a nominal fee. Question 2: Are DNS amplification attacks still an issue? As far as I understand are most name servers equipped with RRL (response rate limiting), effectively nullifying (well almost) the spoofed traffic reflection. I guess most DNS name servers (authoritative/recursive) do support TCP to deal with TC bit (truncated answer) and (should try) TCP fallback. Measuring name server TCP capabilities by scanning name servers might be quite an effort (i.e. which name server to scan?), but you can also look at the different DNS server implementations, e.g. BIND, PowerDNS, Knot DNS and NSD/Unbound. ;-) In the past years, we (the open source DNS community) made substantial progress with introducing DNS-over-TLS in the different code bases. This started in the IETF DPRIVE working group and implementations are well on the way. See for more information https://dnsprivacy.org/wiki/. All this DNS-over-TLS work focuses on stub to resolver interactions: the easy part wrt scaling (up to 10.000 clients). The hard part is still the authoritatives that see up to millions queries per second. Cheers, -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/