[dns-operations] the mathematics of kaminsky spoofing probability

bert hubert bert.hubert at netherlabs.nl
Mon Aug 4 09:18:50 UTC 2008

On Mon, Aug 04, 2008 at 09:33:59AM +0200, Shane Kerr wrote:
> What can the operator of an authoritative server do if it detects
> someone trying to spoof it? I am not being cheeky, rather I am genuinely
> curious what options are available.

In that same veign, some options that are available:

1) Set the TC bit on answers to the host we think is being spoofed, causing
it to fallback to TCP, which is considered spoofing-proof

2) Repeat all answers to that host n times in an attempt to increase chances
of the correct answer coming through the blast of spoofed queries.

I'm not saying one should do either 1 or 2, but there are options. 

Option 1 might be patented, if I recall correctly.


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list