Jul 30 – 31, 2022
Sheraton Philadelphia Downtown
US/Eastern timezone

DoQ on authoritative: perspective, initial implementation, performance, DoS resilience

Jul 30, 2022, 11:25 AM
Liberty D (Sheraton Philadelphia Downtown)

Liberty D

Sheraton Philadelphia Downtown

201 North 17th Street Philadelphia PA 19103 United States
Standard Presentation Main Session OARC 38 Day 1


Libor Peltan (CZ.NIC)


QUIC might become mainstream transport for future DNS, including recursive to authoritative. The benefits are: privacy by encryption, low latency by zero-RTT handshake, no a-priori response size limit, no source address spoofing.

With previous implementation of XDP stack in Knot DNS for UDP and TCP, the authoritative server can be resilient to many types of resource exhaustion attacks. However, QUIC measurements show high enough query-per-second numbers for legitimate traffic only, but without additional protection, the attacker might DoS the server by utilizing its CPU with encryption routines.

Other quirks of athoritative DoQ may be discussed as well (certificate exchange, slow first handshake).

Presentation delivery In-person at the workshop venue

Primary author

Libor Peltan (CZ.NIC)

Presentation materials