Hacker News new | comments | show | ask | jobs | submit login

UDP indeed fit DNS like a glove, except on links with excessive latency / packet loss. This is more of an implementation issue than a problem with UDP, though.

I'm not very familiar with DNSCurve but I don't think it has any mechanisms to prevent amplification.

DNSCrypt solved this by requiring a question to be at least as large as its response.






> I'm not very familiar with DNSCurve but I don't think it has any mechanisms to prevent amplification.

The DNSCurve page discusses amplification:

https://dnscurve.org/amplification.html

The main point is that amplification is primarily a problem because of DNSSEC records causing small requests to generate very large responses, so if people would use DNSCurve instead then even if the responses were somewhat larger than the requests they wouldn't be so by a factor of 120:1 or more, which is the real issue.

But yes, there are multiple ways to solve the problem. CurveCP (a derivative of DNSCurve) does the same thing, requiring the initial packet to be as large as the response. For that matter DNSCrypt is somewhat a derivative of DNSCurve/CurveCP as well.

The point is that it's quite possible to solve the problem and still use UDP.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: