On Sun, Mar 31, 2013 at 7:18 AM, Stephane Bortzmeyer <[email protected]>wrote:
> On Sun, Mar 31, 2013 at 02:30:50AM -0700, > Xun Fan <[email protected]> wrote > a message of 90 lines which said: > > > Instead of closing the open resolvers, can we just force queries > > from external networks to use TCP? > > A very good idea, IMHO. > Thanks! > > > Say reply to queires from external networks with a short truncate > > UDP to signal querier to turn to TCP? > > Even better, allow only TCP from the beginning. This would completely > suppress the amplification (that you still have with the truncated > response). > If we could control the size of truncated response (with truncate flag set to 1), then this won't be a big problem. > > As far as I know, no existing resolving software implements that so > the only way to deploy this approach would be with instructing the > firewall to block incoming UDP/53. > Yes, not a existing implementation, so I want to hear from the community: 1) what are the potential problems about this solution? 2) Is it worth implementing? > > > Rate limiting is coming but many people think it's better for > > authoritative name servers. > > Also, almost all the ORN are unmanaged machines, which will not deploy > new mitigations, whether TCP or rate-limiting. > > > And as a internet measurement researcher, I also find the value of > > open resolvers in some research projects that OR greatly extend our > > view to the Internet. > > Another solution for this use is the DNS looking glass > <http://www.bortzmeyer.org/dns-lg.html>. > Yes, thanks! This is a great project that I am going to participate.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
