| ▲ | bogantech 5 days ago | |
> This sounds like bad advice Please elaborate. As they say a typical DNS request comes in as one packet and is replied in one packet, there is no ongoing connection so there's no point keeping tracking information. The implication of not tracking the connection is that any packets will have to match a more specific rule than the "allow established,related" at the top of the firewall chain. > they would be better off trying to make DNS a TCP-only service to stop amplification attacks. Sure, lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP... Even if you do that - the problem moves from conntrack filling up we can fill up on ephemeral ports stuck in TIME_WAIT because some genius thought a service that doesn't maintain a connection should use TCP | ||
| ▲ | nubinetwork 12 hours ago | parent | next [-] | |
Sorry, I didn't see the replies... but you technically don't have to connect for every new request, just connect once and leave it open for new requests. /shrug | ||
| ▲ | josephcsible 5 days ago | parent | prev [-] | |
> lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP That's already done. DNS servers already all speak both TCP and UDP. Try "dig google.com @8.8.8.8 +tcp". | ||