[dns-operations] the mathematics of kaminsky spoofing probability
bert.hubert at netherlabs.nl
Mon Aug 4 10:13:42 UTC 2008
On Mon, Aug 04, 2008 at 12:08:44PM +0200, Jelte Jansen wrote:
> > In that same veign, some options that are available:
> > 1) Set the TC bit on answers to the host we think is being spoofed, causing
> > it to fallback to TCP, which is considered spoofing-proof
> Er, does this work?
> If the tc=1 answer causes the host to use TCP, wouldn't the normal real
> answer cause it to ignore the spoofs too (for that specific query)?
The tc=1 should be put on that IP address persistently, so it works across
separate kaminksy attempts for the same zone. So tc=1 applies not only for
that query, but for queries in the coming time period as well. You could
remove it after a few minutes of no ICMP unreachables.
I'm still not saying one should do this, just that it is an option.
In general I think the current spoofing problems may well be ameneable to
dynamic spoofing detection and sidestepping behaviour, but mostly on the
resolver side of things.
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations