Ask HN: If DNS over TLS/HTTP(S) work better is it becase TCP?

1 point

6 years ago

In these COVID times I've had a lot of time to look at DNS resolution behavior in my SOHO network, which includes media devices (which don't play nice with others) on one hand and crappy wifi "routers" on the other. I've noticed that when resolution is failing or slow on my wirelessly connected laptop that "dig example.com" performs similarly, but "dig example.com +tcp" almost always succeeds and is surprisingly fast.

DNS professionals (including yours truly, honestly) tend to believe that DNS using TCP is not going to perform as well as DNS over UDP. Could we be wrong in practice, in at least certain circumstances (which might be the ones where Do[TH] is getting a foothold)? This has nothing to do with security, just TCP vs UDP.

TCP support in a DNS resolver is not optional (MUSL is wrong). However, queries are made by clients (e.g. glibc) using UDP, trying TCP only when explicitly requested or when a UDP response arrives with TC=1: TCP is /never/ tried opportunistically.

Is it time for resolver implementations to rethink this, and make trying TCP opportunistically an option? I'm talking about Microsoft and Apple here, of course.

I have the chops to write a TCP-only forwarder or run a local copy of BIND queryable on loopback, but that's not everyman, nor everywoman working from home on a $corporate laptop.

Thoughts?

No comments

No comments