[nsd-users] Unexpected responses to ANY queries over TCP

Anand Buddhdev anandb at ripe.net
Thu May 7 12:48:25 UTC 2020

On 07/05/2020 14:20, Tuomo Soini wrote:

Hello Tuomo,

> I just explained to knot developers yesterday why it's bad idea to
> respond any queries on tcp on authoritative server.
> Let's try to do it again now here.
> As long as authoritative server answers to any queries with tcp it is
> possible to do dns amplification attack like described here:
> https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

This Cloudflare article is all about amplification over UDP, and it is 
something that we all understand. The article makes NO mention of 
amplification over TCP (because it's not possible), so I don't know what 
you are talking about.

> So dns server responding to any query (especially applicable when
> dnssec is used) can be used as a tool for dns amplification attack. It
> doesn't matter if query is udp or tcp, resolvers can query with tcp at

You are wrong. DNS amplification attacks cannot be done over TCP.

And if perchance you're referring to open resolvers that are made to do 
ANY queries... well, minimising responses to ANY over UDP solves that 
quite neatly. They won't retry over TCP.

> any time. And still respond to victims with udp. So It's important part
> of mitigation to do it at all levels.
> Only way to prevent this is to implment rfc8482 for both udp and tcp on
> authoritative server.

RFC 8482 section 4.4 specifically discusses response behaviour depending 
on transport. Over UDP, it is good to minimise responses. On the other 
hand, it's quite okay to provide a complete answer over TCP.


More information about the nsd-users mailing list