It does, but normally only responses which are too long for UDP
require the use of TCP. A recursive nameserver could mitigate this
type of attack by lowering the maximum response size it is willing
to send via UDP, forcing the use of TCP and thus a three-way
handshake for larger responses. The tricky part is that setting
the threshold too low can have serious performance impact.
Note that in real deployments just this behavior has broken things
on occasion, as many firewall and other such policy application points
assume things like DNS resolution will only be UDP/53 transactions.
That assumption has always been wrong.
I would also dispute the "many" above. Most firewalls
actually handle the transition to TCP perfectly fine. There
are the odd few that are misconfigured. When that happens
people complain because nameservers resolution fails. Either
the dataset is "fixed" or the firewall is fixed.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf