.io auth. NS refuses UDP response to dnsviz.net – why shouldn’t I, too?

Al Klimov

5/11/24, 7:14 PM

Seriously, say, I block (return, not drop of course) UDP :53 in to my authoritative nameserver. Resolvers will fall back to TCP and I won’t need any rate limiting against spoofed source IPs. Because the spoofed victim of a DDoS attack would only get the connection refused equivalent of UDP or TCP ack, not a much larger DNS answer.

Simple solution, everything is fine. Or isn’t it that simple?

2 + 0

domain-name-system

udp

ddos

authoritative

rate-limiting

Score:2

Server

Håkan Lindqvist

5/12/24, 10:51 AM

The normal mechanism to switch a client over to TCP for regular queries is to send a truncated response (response with the TC flag set).
This is a common strategy used for implementing rate-limiting with the goal of limiting UDP-based amplification attacks while still providing service.

I would not rely on that resolver servers in general even attempt TCP spontaneously, even though it is of course allowed and would be good from a robustness perspective if they did.

+ 0

Score:2

Server

HBruijn

5/12/24, 10:53 AM

AFAIK The DNS protocol does not require that the request must be retried over TCP when contacting an authoritative name server fails via the default UDP transport. In practice blocking UDP will effectively make your authoritative name server unreachable.

The normal method is that DNS server needs to send a UDP response with the TC bit (Truncation) set, informing the client that the message length has exceeded the allowed size and to retry via TCP.

+ 1

anx

7/1/24, 9:24 PM

.. that defers part of the explanation to the immediate follow-up: What if, instead of unconditionally returning `unreachable`, one was to unconditionally return `TC`? (asked differently: why does bind9 not allow configuring arbitrarily small `max-udp-size`?)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: .io auth. NS refuses UDP response to dnsviz.net – why shouldn’t I, too?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.