Discuss mailing list

[staticsafe <me AT staticsafe.ca>]

On Fri, May 31, 2013 at 09:45:58PM -0400, Christopher wrote:
> Has anyone ever tried using TCP only for a DNS server? I don't know
> how well clients would handle that, and I know it has some extra
> latency, but if it eliminates the ability to use it for a DDoS it
> seems like it might be something worth trying.
> 
> I'm assuming that regular TCP-DNS uses one connection per query. Would
> it be possible to set it up so it kept the connection up for many
> queries, or would that require using a tunnel or rewriting software?
> 
> - C
> 

Amusingly, a mildly related conversation is going on dns-operations, I quote:

----- Forwarded message from Paul Vixie <paul AT redbarn.org> -----

Date: Fri, 31 May 2013 16:04:18 -0700
From: Paul Vixie <paul AT redbarn.org>
To: "Dobbins, Roland" <rdobbins AT arbor.net>
Cc: "dns-operations AT lists.dns-oarc.net List" 
<dns-operations AT mail.dns-oarc.net>
Subject: Re: [dns-operations] DNSCrypt.

let's have a war game, ok? you set up an authority server and we'll make
a distributed set of recursive servers that pound the hell out of that
authority server in the usual unhealthy-but-apparently-necessary ways
that recursive servers pound the hell out of authority servers. we'll
figure out a way to run the system at equilibrium and we'll note what
"equilibrium" is.

then you turn off udp and force that load to use tcp.

then i'll come in from the side and wreck your ability to answer
reliably using tcp.

then you can hack your server any way you want that doesn't expressly
violate RFC 1035 4.2.2.

then we'll see what the final new equilibrium is.

and then, i predict, people everywhere will stop saying "udp/53 is
crazy, let's all switch to tcp/53".

paul

-- 
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post - http://goo.gl/YrmAb
Don't CC me! I'm subscribed to whatever list I just posted on.