[NLNOG] What if… DNS over TCP?

Benno Overeinder benno at NLnetLabs.nl
Wed Feb 7 16:53:55 CET 2018

Dag Mark,

On 07/02/2018 16:14, Mark Schouten wrote:
> Hi,
> I've had this idea, read about it and let me know what you think.
> https://www.tuxis.nl/blog/what-if-dns-over-tcp-20180207/

Thank you for writing down your ideas.  I have some questions and a
couple of comments for you to consider.

Question 1: Was the recent DDOS armed by open resolvers allowing for a
DNS amplification attack?  I didn't heard about the specifics other than
a botnet, hired for a nominal fee.

Question 2: Are DNS amplification attacks still an issue?  As far as I
understand are most name servers equipped with RRL (response rate
limiting), effectively nullifying (well almost) the spoofed traffic

I guess most DNS name servers (authoritative/recursive) do support TCP
to deal with TC bit (truncated answer) and (should try) TCP fallback.
Measuring name server TCP capabilities by scanning name servers might be
quite an effort (i.e. which name server to scan?), but you can also look
at the different DNS server implementations, e.g. BIND, PowerDNS, Knot
DNS and NSD/Unbound.  ;-)

In the past years, we (the open source DNS community) made substantial
progress with introducing DNS-over-TLS in the different code bases.
This started in the IETF DPRIVE working group and implementations are
well on the way.  See for more information https://dnsprivacy.org/wiki/.

All this DNS-over-TLS work focuses on stub to resolver interactions: the
easy part wrt scaling (up to 10.000 clients).  The hard part is still
the authoritatives that see up to millions queries per second.


-- Benno

Benno J. Overeinder
NLnet Labs

More information about the NLNOG mailing list