[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Mark Andrews
Mark_Andrews at isc.org
Fri Jul 11 22:42:42 UTC 2008
> For Bind and djbdns (tinydns/axfrdns) no change is needed. DNS over tcp is
> enabled by default, but the fools programming the firewall dont read
> the RFCs who say port 53 udp and tcp.
Yes there are changes required.
First you need to stop the servers making UDP request by
default.
Next will need to treat your nameserver like a http server
that is answering 1000's of http requests per second. The
later is the expensive part as it may involve new hardware.
> I have seen when testing dnssec Findland first dropped their IPv6
> records because the packets got to big for udp and many clients
> switched to tcp because edns did not work for them. Next they dropped
> dnssec too.
I've long ago stop worring about clients and EDNS. Clients
either fix their EDNS problems or they don't get answers
from the root server. The root servers have EDNS enabled
and there are referrals that exceed 512 bytes today.
The next big crunch comes with fragemented packets and there
are enough large responses these days that anyone advertising
a EDNS UDP size greater than a ethernet packet will be
seeing the odd fragmented DNS/UDP response. Signed answers
aproach and, at times, cross this threshold.
The solution to this is to fix the firewall that thinks it
is sensible to drop fragmented packets. The work around
is to advertise a appropriate ENDS UDP size so that truncation
does not occur.
e.g.
edns-udp-size 1460;
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list