DNS problems to RoadRunner - tcp vs udp

Sean Donelan sean at donelan.com
Sat Jun 14 18:43:46 CDT 2008

On Sat, 14 Jun 2008, Scott McGrath wrote:
> Also recall we have a comittment to openess so we would like to make TCP 
> services available but until we have effective DNS DoS mitigation which can 
> work with 10Gb links It's not going to happen.

I feel your pain, but I think there may be a slight mis-analysis of the
situation.  However I may be mistaken, given the lack of details.

The 10Gb really doesn't have much to do with tcp-state-table problems.

Any network with a large user population probably should have separate
DNS servers for their authoritative zones answering the Internet 
at-large and their recursive resolvers serving their user population.

DNS recursive resolvers may not need to answer unsolicited queries from
the Internet at large.  It may make sense to keep those servers behind
stateful packet gateways, and only allow both UDP and TCP responses from 
the Internet to UDP and TCP queries made by the local, authorized users.
Because you don't know what Answer all the other DNS servers may give,
including a Truncated answer, recursive resolvers must be able to use TCP
to send queries to the Internet at large, and receive TCP queries from
its local, authorized user population.

If your own local users are DOSing your own DNS recursive resolvers, 
hopefully that's your own problem.

A DNS authoritative server may only need to answer unsolicited UDP 
queries from the Internet at large. Because DNS clients (stub, resolvers) 
must send a query as UDP first, and may use TCP if the Answer has the 
truncated bit set, an authoritative name server which knows all its 
answers will always fit in the minimum DNS Answer and never sets the 
truncated bit shouldn't get a TCP DNS query.  RFC1112 says DNS servers 
should answer unsolicited TCP DNS queries anyway, but its not a MUST and 
it may rate limit its TCP answers.

Given those constraints, it may make sense for DNS authoritative servers
to limit TCP, either with an ACL or rate-limit the TCP/SYNs.  But its only 
a medium term solution.  DNS answers are growing.  Someday those DNS 
authoritative servers probaly will need to send a large DNS Answer. But 
that is under the control of the local DNS administrator.  So hopefully he 
or she will know when the DNS server breaks, and will fix it then.

Also, modern TCP/IP stacks and modern name server implementations
don't have as many tcp-state-table issues as they did at the beginning
of the decade.  Any DOS attack based on TCP would disrupt HTTP/Web
servers just as much as TCP/DNS servers.  So many of the same mitigation
techniques (and attacks) for Web servers may be applicable to DNS servers.

So briefly

1. Separate your authoritative and recursive name servers
2. Recursive name servers should only get replies to their own DNS queries 
from the Internet, they can use both UDP and TCP
3. Recursive name servers should only get queries from their own user 
population, they can use both UDP and TCP
4. Authoritative servers may only need to answer UDP queries from the 
Internet, if they never truncates its Answers.  But the DNS 
administrator should plan what to do when its Answers get too large.

Most DNS servers don't provide good alerts to DNS administrators doing 
stupid things, like sending big DNS answers while blocking TCP.

I tried to capture some of these ideas in some ACLs

More information about the NANOG mailing list