> > It does, but normally only responses which are too long for UDP
> > require the use of TCP. A recursive nameserver could mitigate this
> > type of attack by lowering the maximum response size it is willing
> > to send via UDP, forcing the use of TCP and thus a three-way
> > handshake for larger responses. The tricky part is that setting
> > the threshold too low can have serious performance impact.
>
> Note that in real deployments just this behavior has broken things
> on occasion, as many firewall and other such policy application points
> assume things like DNS resolution will only be UDP/53 transactions.
That assumption has always been wrong.
I would also dispute the "many" above. Most firewalls
actually handle the transition to TCP perfectly fine. There
are the odd few that are misconfigured. When that happens
people complain because nameservers resolution fails. Either
the dataset is "fixed" or the firewall is fixed.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
Ietf mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/ietf
