Hlavní navigace

Názor k článku TCP ve světě DNS: více dat a méně útoků od lol - Preto D. J. Bernstein ku tinyDNS a TCP...

  • Článek je starý, nové názory již nelze přidávat.
  • 13. 4. 2016 19:23

    lol (neregistrovaný) ---.45.broadband2.iol.cz

    Preto D. J. Bernstein ku tinyDNS a TCP napisal poznamku (https://cr.yp.to/djbdns/tcp.html#why):

    When are TCP queries sent?

    If you're in one of the following situations, you need to configure your DNS server to answer TCP queries:
    - You want to publish record sets larger than 512 bytes. (This is almost always a mistake.)
    - You want to allow outgoing zone transfers, for example to a third-party server.
    - A parent server refuses to delegate a name to you until you set up TCP service.

    If you aren't in any of those situations, you have no need to provide TCP service, and you should not set it up. DNS-over-TCP is much slower than DNS-over-UDP and is inherently much more vulnerable to denial-of-service attacks. (This applies to BIND too.)