[dns-operations] the mathematics of kaminsky spoofing probability

bert hubert bert.hubert at netherlabs.nl
Mon Aug 4 10:13:42 UTC 2008

On Mon, Aug 04, 2008 at 12:08:44PM +0200, Jelte Jansen wrote:
> > In that same veign, some options that are available:
> > 
> > 1) Set the TC bit on answers to the host we think is being spoofed, causing
> > it to fallback to TCP, which is considered spoofing-proof
> > 
> Er, does this work?
> If the tc=1 answer causes the host to use TCP, wouldn't the normal real
> answer cause it to ignore the spoofs too (for that specific query)?

The tc=1 should be put on that IP address persistently, so it works across
separate kaminksy attempts for the same zone. So tc=1 applies not only for
that query, but for queries in the coming time period as well. You could
remove it after a few minutes of no ICMP unreachables.

I'm still not saying one should do this, just that it is an option.

In general I think the current spoofing problems may well be ameneable to
dynamic spoofing detection and sidestepping behaviour, but mostly on the
resolver side of things.


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list