4

Assume I am managing a firewall between DNS server and clients. Is there any way to force clients use TCP rather than UDP, so we can prevent DNS spoof types of DDoS attacks?

ibrahim
  • 571
  • 3
  • 7
  • 13

1 Answers1

2

You should read A Question of DNS Protocols by Geoff Huston, which is an actual investigation into this idea, with statistics and everything:

If the DNS represents such a significant vulnerability for the Internet through these UDP-based reflection attacks, then does TCP represent a potential mitigation? Could we realistically contemplate moving away from the ubiquitous use of ENDS0 to support large DNS responses in UDP, and instead use DNS name servers that limit the maximal size of their UDP responses, and turn to TCP for larger responses?

I think the key points from that paper which address your question are:

  • If your server responds with partial UDP responses with the 'truncated' bit set, that will force clients to try TCP instead
  • Not all clients will be able to do so; 2% of clients and 17% of resolvers don't switch up to TCP (...as of 2013)

Personally, I think you'd be violating the spirit of RFC 1123:

DNS resolvers and recursive servers MUST support UDP, and SHOULD support TCP, for sending (non-zone-transfer) queries.

I'm not sure faking UDP just to switch people up to TCP counts as supporting UDP. That being said, there's always a gap between RFC and reality...

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Hi. I could do tcp conversion via a tool called dnsdist. In my tests, I saw chrome works fine, but firefox not working. Seems it didn't send tcp request when I send truncated response. – ibrahim Sep 03 '15 at 11:02