[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 4 13:55:22 UTC 2013

On Wed, Sep 04, 2013 at 10:45:42PM +0900,
 Yasuhiro Orange Morishita / 森下泰宏 <yasuhiro at jprs.co.jp> wrote 
 a message of 38 lines which said:

> So, we might set max-udp-size to 1220 for preventing UDP
> fragmentation.  

But, in IPv4, the attacker can send spoofed ICMP "packet too big"
messages to decrease the size of the path MTU, as seen by the DNS

I do not find an equivalent of RFC 5927 for UDP. I assume (I didn't
check) that UDP stacks implement similar protections (some suggestions
of RFC 59267 are very TCP-specific such as checking the sequence
number) but it would be interesting to study this possible attack in

More information about the dns-operations mailing list