nanog mailing list archives
Re: DNS problems to RoadRunner - tcp vs udp
From: Sean Donelan <sean () donelan com>
Date: Sat, 14 Jun 2008 19:43:46 -0400 (EDT)
On Sat, 14 Jun 2008, Scott McGrath wrote:
Also recall we have a comittment to openess so we would like to make TCP services available but until we have effective DNS DoS mitigation which can work with 10Gb links It's not going to happen.
I feel your pain, but I think there may be a slight mis-analysis of the situation. However I may be mistaken, given the lack of details. The 10Gb really doesn't have much to do with tcp-state-table problems. Any network with a large user population probably should have separateDNS servers for their authoritative zones answering the Internet at-large and their recursive resolvers serving their user population.
DNS recursive resolvers may not need to answer unsolicited queries from the Internet at large. It may make sense to keep those servers behindstateful packet gateways, and only allow both UDP and TCP responses from the Internet to UDP and TCP queries made by the local, authorized users.
Because you don't know what Answer all the other DNS servers may give, including a Truncated answer, recursive resolvers must be able to use TCP to send queries to the Internet at large, and receive TCP queries from its local, authorized user population.If your own local users are DOSing your own DNS recursive resolvers, hopefully that's your own problem.
A DNS authoritative server may only need to answer unsolicited UDP queries from the Internet at large. Because DNS clients (stub, resolvers) must send a query as UDP first, and may use TCP if the Answer has the truncated bit set, an authoritative name server which knows all its answers will always fit in the minimum DNS Answer and never sets the truncated bit shouldn't get a TCP DNS query. RFC1112 says DNS servers should answer unsolicited TCP DNS queries anyway, but its not a MUST and it may rate limit its TCP answers.
Given those constraints, it may make sense for DNS authoritative serversto limit TCP, either with an ACL or rate-limit the TCP/SYNs. But its only a medium term solution. DNS answers are growing. Someday those DNS authoritative servers probaly will need to send a large DNS Answer. But that is under the control of the local DNS administrator. So hopefully he or she will know when the DNS server breaks, and will fix it then.
Also, modern TCP/IP stacks and modern name server implementations don't have as many tcp-state-table issues as they did at the beginning of the decade. Any DOS attack based on TCP would disrupt HTTP/Web servers just as much as TCP/DNS servers. So many of the same mitigation techniques (and attacks) for Web servers may be applicable to DNS servers. So briefly 1. Separate your authoritative and recursive name servers2. Recursive name servers should only get replies to their own DNS queries from the Internet, they can use both UDP and TCP 3. Recursive name servers should only get queries from their own user population, they can use both UDP and TCP 4. Authoritative servers may only need to answer UDP queries from the Internet, if they never truncates its Answers. But the DNS administrator should plan what to do when its Answers get too large.
Most DNS servers don't provide good alerts to DNS administrators doing stupid things, like sending big DNS answers while blocking TCP.
I tried to capture some of these ideas in some ACLs <http://www.donelan.com/dnsacl.html>
Current thread:
- Re: DNS problems to RoadRunner - tcp vs udp, (continued)
- Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Bill Owens (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Jon Kibler (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Tony Rall (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp John Kristoff (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Sean Donelan (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mike Lewinski (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mark Andrews (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Michael Sinatra (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Florian Weimer (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Scott C. McGrath (Jun 16)
- Re: DNS problems to RoadRunner - tcp vs udp Joe Greco (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Roland Dobbins (Jun 15)