On 08/11/2018 04:16 PM, John Levine wrote: > In article <153397442482.20828.13036371457377811227@xxxxxxxxxxxxxx> you write: >> This document is almost ready, but requires some clarifications and, more >> importantly, an analysis of the impact of switching from a connection-less >> protocol (UDP) to a connection-oriented protocol (HTTPS/TCP) for DNS resolution. > > But DNS resolution has always worked over TCP. See RFC 1035, section > 4.2.2. Tbe usual case is retry on TCP when a UDP response is > truncated, but it's equally valid to do TCP in the first place. I'm aware of that. But with traditional DNS, you start with UDP, and may fall back to TCP. DoS'ing the TCP support doesn't DoS the whole system. (If it were the case that 100% of UDP-based resolutions result in a subsequnt TCP-based resolution (which I'm not saying is not the case..I just don't know), then I wouldn't have this concern) > Is there a reason that the security threats of DOH over TCP would be > any diferent from existing DNS over TCP? What could be different is the impact. What I'm wondering is, in a way, to what extent it might be easier to completely DoS DNS resolution for the DoH case. -- Defending against resource-exhaustion attacks is certainly more complex for stateful protocols. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
