large organization nameservers sending icmp packets to dns servers.

Douglas Otis dotis at mail-abuse.org
Thu Aug 9 19:13:11 UTC 2007


On Aug 8, 2007, at 5:35 PM, Paul Vixie wrote:

>
>>>> ... but a TCP connection will consume a
>>>> significant amount of a name server's resources.
>>>
>>> ...wrong.
>>
>> Wanting to understand this comment, ...
>
> the resources given a nameserver to TCP connections are tightly  
> controlled, as described in RFC 1035 4.2.2.  so while TCP/53 can  
> become unreliable during high load, the problems will be felt by  
> initiators not targets.

The relevant entry in Section 1035 4.2.2 recommends that the server  
not block other activities waiting for TCP data.  This is not exactly  
a requirement that TCP should fail before UDP.

The concern leading to a suggestion that TCP always fail was a bit  
different.  A growing practice treats DNS as a type of web server  
when used to publish rather bulky script-like resource records.  Due  
to typical sizes, it is rather common to find these records depend  
upon TCP fallback.  This problem occurred with paypal, for example.   
TCP fallback is especially problematic when these records are given  
wildcards.  Such fallback increases the amplification associated with  
an exploit related to the use of the script within the record.

Of course there are better ways to solve this problem, but few are as  
certain.

-Doug





More information about the NANOG mailing list