Hey there,
We still see TCP primarily in fallback scenarios triggered by TC=1 —
often due to large TXT records or DNSSEC. That said, the real shift
in DNS transport is toward encrypted protocols like DoH and DoQ,
rather than increased reliance on TCP itself. We're observing this
trend across on-prem resolvers we manage that handle several million
QPS.
Carlos Horowicz
Planisys
On 07/07/2025 05:11, Mukund Sivaraman wrote:
Hi Tommy
You have the right mind, but I don't know how this draft will fly in
today's world. If you routinely look at packet captures at ISP resolvers
(which handle some of the heaviest query rates of DNS outside CDNs), the
overwhelming majority of queries complete with DNS over UDP. Some
truncated responses cause TCP traffic, but it is the presence of DNS
over UDP that allow these resolvers to perform at the response rates
they do currently (and they still struggle sometimes). DNS over TCP
performance and scalability is still poor compared to DNS over UDP.
The considerations such as Kaminsky attack needing source port
randomization, fragmentation, etc. are already worked around in
implementation.
1. Introduction
Many uses of the DNS require message sizes larger than common path
MTUs. This poses problems for Classic DNS over UDP by requiring
It would be fairer to s/Many/Some/ here as the majority of DNS traffic
as seen in packet captures at ISPs complete (succeed) over UDP.
Mukund
_______________________________________________
DNSOP mailing list [email protected]
To unsubscribe send an email [email protected]
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
