Hi Paul On Thu, Jul 21, 2016 at 11:10:10AM -0400, Paul Wouters wrote: > And I have been wondering if we should allow for a DNS padding in the > query packet to ensure answer packets (over UDP) are going to be > smaller then the query packet. And therefore prevents DDOS > amplification.
This has been mentioned before. Some thoughts:
For DNS, this can affect some cases such as query packets not making it
to the server due to size, lack of ability of the client to guess what
the answer's message size may be, and also EDNS UDP payload size
behavior.
In DNS over UDP and its poor-man's-pMTU-discovery, it's the client that
drives the discovery of what works - the server has no idea of whether a
query+answer roundtrip has succeeded in a reply successfully delivered
to the client, whereas the client does. The client can use this to tweak
the UDP payload size, but if the query itself may get dropped, it can't
tell if it was the query or the reply that disappeared - there is some
faith that an unpadded question-only DNS message will go through
somewhat reliably.
Once a client cookie has been established (associated with a source IP
address), there's no need to use padding, so perhaps this could be a
step in the initial handshake when the cookie is established - there
could be message size limits to these cookie-establishment query and
reply.
DJB's curveCP comes to mind about how it prevents amplification for the
initial handshake.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
