Hacker News new | past | comments | ask | show | jobs | submit login

DNS runs over UDP, which means the source of requests for information can be spoofed. Also, the amount of data of a response is significantly larger than the request, so you can use DNS resolvers to send significantly more data to a victim than you yourself need to generate by sending DNS queries with your victim as the source IP.



Yes, I understand the attack. My point is that somewhere, there have to be DNS servers that respond to public requests ... otherwise the internet will not work.

Hence, some DNS servers have to be open. By saying it's openness that's the problem, we're blaming the victims, rather than the issue, which is that DNS is flawed. Simply moving to TCP would be better, surely?


UDP doesn't require a handshake hence is easy to spoof unlike TCP where a full-duplex connection must be established for a successful connection.


Yes, that's my point. If we move to TCP we fix the issue. At the moment I can't see how closing open servers is a real fix.


Moving from UDP back to TCP on large packets is a mixed bag. TCP is slow, very slow. At one time DNS packets were limited to 512 bytes and had to use TCP for more data, but over time the number of UDP packets over 512 bytes increased greatly. Going back to the smaller packet size would impact a large number of users with longer load times, especially on wireless devices.

Closing open DNS servers isn't a real fix. The people who need to fix it are the lest likely to have a clue there is a problem in the first place.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: