Abstract
Since its introduction in 1987, the DNS has become one of the core
components of the Internet. While it was designed to work with both TCP and
UDP, DNS-over-UDP (DoUDP) has become the default option due to its low
overhead. As new Resource Records were introduced, the sizes of DNS responses
increased considerably. This expansion of the message body has led to
truncation and IP fragmentation more often in recent years where large UDP
responses make DNS an easy vector for amplifying denial-of-service attacks
which can reduce the resiliency of DNS services. This paper investigates the
resiliency, responsiveness, and usage of DoTCP and DoUDP over IPv4 and IPv6
for 10 widely used public DNS resolvers. The paper specifically measures the
resiliency of the DNS infrastructure in the age of increasing DNS response
sizes that lead to truncation and fragmentation. Our results offer key
insights into the management of robust and reliable DNS network services.
While DNS Flag Day 2020 recommends 1232 bytes of buffer sizes, we find out
that 3/10 resolvers mainly announce very large EDNS(0) buffer sizes both from
the edge as well as from the core, which potentially causes fragmentation. In
reaction to large response sizes from authoritative name servers, we find that
resolvers do not fall back to the usage of DoTCP in many cases, bearing the
risk of fragmented responses. As the message sizes in the DNS are expected to
grow further, this problem will become more urgent in the future. This paper
demonstrates the key results (particularly as a consequence of the DNS Flag
Day 2020) which may support network service providers make informed choices to
better manage their critical DNS services.
Users
Please
log in to take part in the discussion (add own reviews or comments).