
DNS has grown into an enormously complex system - b-man
http://queue.acm.org/detail.cfm?id=1242499
======
mschout
If _this_ article makes you think DNS is complex, just wait until you have to
deploy DNSSEC!

~~~
viraptor
Or read how it's used for internet telephony: you're supposed to support 3
indirect results -> NAPTR query returns a regex and a list of ideas for SRV
queries, which give you a list of queries to resolve with A. So much fun!

------
ez77
Why is UDP used for DNS instead of TCP? Isn't TCP supposed to be more reliable
( _lossless_ )? Reliability would appear to be of utmost importance in DNS,
no?

~~~
swalberg
TCP is used if the size of the packet goes over 512 bytes. Practically this is
only used for zone transfers.

It's also faster... Assuming everything works, it's one round trip time for
the query and response for UDP, as opposed to 2 for the TCP case because you
have to set up the connection first.

Being connectionless means that the server can be much more efficient, because
it never has to keep track of any connections or state.

And, as others have pointed out, you just retransmit if you don't get an
answer. TCP isn't really lossless, it just guarantees that you know when
you've lost something which is an important distinction. And with DNS, that's
pretty easy -- you didn't get your answer. TCP would take a while to figure
this out, with UDP you can pick your timeout.

~~~
IgorPartola
You also have to tear the connection down with 2 more round trips. Connections
not being closed by the client are a drain on the server.

~~~
ay
Also, to establish the TCP connection you need an extra roundtrip compared to
the UDP use case. Given that in the case of no answer in the cache the
recursive name server may need to ask several authoritative name servers -
this can add significantly to the delay, too.

------
contravert
Why are there so few DDOS attacks on DNS servers? From my understanding, it is
trivial to forge a UDP packet with a false IP address. Wouldn't it be
extremely effective for even a few thousand zombie machines to spam forged DNS
requests to overload a DNS server? Given that the root DNS servers are such
obvious targets, why are there so few attacks on them?

~~~
sharth
Read this. It's ICANN's summary on the last DDOS on the root DNS servers.

[http://www.icann.org/en/announcements/factsheet-dns-
attack-0...](http://www.icann.org/en/announcements/factsheet-dns-
attack-08mar07.pdf)

