On Sat, 14 Jun 2008, Scott McGrath wrote:
Also recall we have a comittment to openess so we would like to make TCP services available but until we have effective DNS DoS mitigation which can work with 10Gb links It's not going to happen.
I feel your pain, but I think there may be a slight mis-analysis of the situation. However I may be mistaken, given the lack of details. The 10Gb really doesn't have much to do with tcp-state-table problems. Any network with a large user population probably should have separate DNS servers for their authoritative zones answering the Internet at-large and their recursive resolvers serving their user population. DNS recursive resolvers may not need to answer unsolicited queries from the Internet at large. It may make sense to keep those servers behind stateful packet gateways, and only allow both UDP and TCP responses from the Internet to UDP and TCP queries made by the local, authorized users. Because you don't know what Answer all the other DNS servers may give, including a Truncated answer, recursive resolvers must be able to use TCP to send queries to the Internet at large, and receive TCP queries from its local, authorized user population. If your own local users are DOSing your own DNS recursive resolvers, hopefully that's your own problem. A DNS authoritative server may only need to answer unsolicited UDP queries from the Internet at large. Because DNS clients (stub, resolvers) must send a query as UDP first, and may use TCP if the Answer has the truncated bit set, an authoritative name server which knows all its answers will always fit in the minimum DNS Answer and never sets the truncated bit shouldn't get a TCP DNS query. RFC1112 says DNS servers should answer unsolicited TCP DNS queries anyway, but its not a MUST and it may rate limit its TCP answers. Given those constraints, it may make sense for DNS authoritative servers to limit TCP, either with an ACL or rate-limit the TCP/SYNs. But its only a medium term solution. DNS answers are growing. Someday those DNS authoritative servers probaly will need to send a large DNS Answer. But that is under the control of the local DNS administrator. So hopefully he or she will know when the DNS server breaks, and will fix it then. Also, modern TCP/IP stacks and modern name server implementations don't have as many tcp-state-table issues as they did at the beginning of the decade. Any DOS attack based on TCP would disrupt HTTP/Web servers just as much as TCP/DNS servers. So many of the same mitigation techniques (and attacks) for Web servers may be applicable to DNS servers. So briefly 1. Separate your authoritative and recursive name servers 2. Recursive name servers should only get replies to their own DNS queries from the Internet, they can use both UDP and TCP 3. Recursive name servers should only get queries from their own user population, they can use both UDP and TCP 4. Authoritative servers may only need to answer UDP queries from the Internet, if they never truncates its Answers. But the DNS administrator should plan what to do when its Answers get too large. Most DNS servers don't provide good alerts to DNS administrators doing stupid things, like sending big DNS answers while blocking TCP. I tried to capture some of these ideas in some ACLs <http://www.donelan.com/dnsacl.html>