named tcp dos?

Tony Finch dot at
Fri Aug 3 11:10:04 UTC 2018

Randy Bush <randy at> wrote:
> estimate or measure the distribution of the ratio of udp to tcp queries
> on say 100 cctld servers.

On a recently rebooted auth server, which hosts zones for a handful of
universities with and without DNSSEC, slightly less than 1% of queries are
over TCP.

$ curl -Ssf |
  jq '[ .nsstats.QryUDP, .nsstats.QryTCP ]'

I have a few config options which can affect TCP usage. These two should
reduce it:

	minimal-responses yes;
	minimal-any yes;

These ones can increase it:

	rate-limit {
		responses-per-second 10;
		ipv4-prefix-length 32;
		exempt-clients { cudn; };

	max-udp-size 1420;

(The latter is to avoid UDP fragmentation.)

This is not a very beefy server so I haven't increased the TCP concurrency
very much:

	tcp-clients 256;

f.anthony.n.finch  <dot at>
