alt Hacker NewsI would like to see DNS servers require each client to establish one TCP connection to be allowed to use UDP thereafter.
If this were the default on DNS servers, then DNS amplification attacks would be nearly impossible. They rely on spoofing a DNS request from the victim, and amplify because the response may be many times larger than the request. If TCP were required to be used before UDP responses can be received, then the victim would have to be first tricked into making a DNS request over TCP to each public DNS server.
The DNS Cookies standard (RFC 7873) doesn't do much to stop this, since it is impractical to fail queries from non-cookie clients.
DNS over TCP is supposed to be supported, so implementing this will push firewall admins in the right direction (allow both TCP/UDP outbound on 53).
Replies
quadrupling first query time wouldn't be acceptable. And now server have to keep some state per client so more requirements
That's an interesting argument, given the whole impetus behind pushing for DoT vs. DoH was to allow network administrators the discretion to block encrypted DNS (by blocking DoT).