[AusNOG] "stateless TCP" for DNS
Dobbins, Roland
rdobbins at arbor.net
Fri Nov 12 16:59:06 EST 2010
On Nov 12, 2010, at 11:43 AM, grenville armitage wrote:
> I'd be interested in hearing from anyone who (a) thinks it is
> interesting
I posited this same idea a few years back when I was at Cisco, and wanted to do a TCP/53 reachability survey in order to determine the degree to which bad 'security' advice has resulted in TCP/53 blockage throughout the Internet as a whole, with an eye towards determining the feasibility of moving commonplace DNS queries/responses over to TCP; unfortunately, I wasn't able to allocate the time to do it, then.
Like you and Geoff, I believe that modern hardware and kernels/IP stacks make TCP/53 DNS much more viable for normal use than the original consensus around utilizing UDP due to older TCP stack/connection constraints. Furthermore, I believe that the pervasive amplification effect of DNSSEC in terms of DNS reflection/amplification DDoS attacks is a serious problem in that attackers don't have to do nearly as much digging to find a large record to abuse, and given that utilizing TCP obviates the spoofing vector, that a TCP-based DNS would offer a substantial win over current EDNS0 and accomplish about 80% of what DNSSEC is intended to do with far less complexity and fewer negative side-effects.
However, it's essential that as part of this experimentation and research, that a TCP/53 reachability study is performed in order to determine the degree of brokenness out there on the Internet today in this regard, which will allow extrapolation of this class of operational barriers to widespread TCP/53 DNS deployment. Perhaps we can look into getting such a project going?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
More information about the AusNOG
mailing list