[dns-operations] the mathematics of kaminsky spoofing probability
bert.hubert at netherlabs.nl
Mon Aug 4 09:18:50 UTC 2008
On Mon, Aug 04, 2008 at 09:33:59AM +0200, Shane Kerr wrote:
> What can the operator of an authoritative server do if it detects
> someone trying to spoof it? I am not being cheeky, rather I am genuinely
> curious what options are available.
In that same veign, some options that are available:
1) Set the TC bit on answers to the host we think is being spoofed, causing
it to fallback to TCP, which is considered spoofing-proof
2) Repeat all answers to that host n times in an attempt to increase chances
of the correct answer coming through the blast of spoofed queries.
I'm not saying one should do either 1 or 2, but there are options.
Option 1 might be patented, if I recall correctly.
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations