[dns-operations] summary of recent vulnerabilities in DNS security.

Haya Shulman haya.shulman at gmail.com
Sat Oct 26 09:37:50 UTC 2013

> This is essentially an IP packet modification vulnerability and in order
> to do these, you don't even need fragmentation. This might happen even
> due to malfunctioning network adapter or other network device, not
> necessarily an "attack". One of the reasons for DNSSEC existence is to
> prevent processing of "damaged" DNS data, with malicious origin or not.
> If you are concerned with improperly assembled IP packets, the DNS
> community is the wrong place to ask for a fix. The DNS community can
> only make sure "their" protocol takes care of such issues, and issues
> like this are totally addressed by technologies such as DNSSEC, TSIG
> etc. But the fundamental "fix" for this issue has to happen in the
> TCP/IP stack.

IP does not, and was not designed to, guarantee security - only best effort
end-to-end delivery. The discussion was if Eastlake cookies can prevent the
attacks: the example I showed was a legitimate way to apply IP
fragmentation (which is a feature of IP - it is not a bug) to foil the
protection offered by Eastlate cookies and to inject spoofed content into
the DNS response (despite the use of Eastlake cookies for protection). This
should be of interest to DNS community, unless you argue that the DNS
community should rely on IP layer for security of DNS.


Best Regards,

Haya Shulman

Technische Universität Darmstadt

FB Informatik/EC SPRIDE

Mornewegstr. 30

64293 Darmstadt

Tel. +49 6151 16-75540

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131026/927c4eb9/attachment.html>

More information about the dns-operations mailing list