10. Security Considerations

Some DNS server operators have expressed concern that wider promotion and use of DNS over TCP will expose them to a higher risk of DoS attacks on TCP (both accidental and deliberate).

Although there is a higher risk of some specific attacks against TCP-enabled servers, techniques for the mitigation of DoS attacks at the network level have improved substantially since DNS was first designed.

Readers are advised to familiarise themselves with [CPNI-TCP], a security assessment of TCP that details known TCP attacks and countermeasures and that references most of the relevant RFCs on this topic.

To mitigate the risk of DoS attacks, DNS servers are advised to engage in TCP connection management. This could include maintaining state on existing connections, reusing existing connections, and controlling request queues to enable fair use. It is likely to be advantageous to provide configurable connection management options, for example:

• total number of TCP connections

• maximum TCP connections per source IP address or subnet

• TCP connection idle timeout

• maximum DNS transactions per TCP connection

• maximum TCP connection duration

No specific values are recommended for these parameters.

Operators are advised to familiarise themselves with the configuration and tuning parameters available in the TCP stack of the operating system. However, detailed advice on this is outside the scope of this document.

Operators of recursive servers are advised to ensure that they only accept connections from expected clients (for example, by the use of an Access Control List (ACL)) and do not accept them from unknown sources. In the case of UDP traffic, this will help protect against reflection attacks [RFC5358]; and in the case of TCP traffic, it will prevent an unknown client from exhausting the server's limits on the number of concurrent connections.