[dns-operations] DNS Attack over UDP fragmentation

Ondřej Surý ondrej.sury at nic.cz
Wed Sep 4 14:22:42 UTC 2013

On 4. 9. 2013, at 16:11, Jim Reid <jim at rfc1035.com> wrote:

> On 4 Sep 2013, at 15:04, Ondřej Surý <ondrej.sury at nic.cz> wrote:
>>> A possible solution is simply to deploy IPv6 faster :-)
>> Yeah :), but what should we do in the eternity meanwhile?
> Don't fragment at all, set TC=1 on responses which would cause UDP or lower layer fragmantation and assume only genuine queries will do a TCP retry, avoiding rate limiters?

But that will still strip-out the paths where the fragmentation is needed, and the MTU is lower than your limit in DNS server.

Remember that the DNS server has no idea what the MTU is and whether the fragmentation is needed or not.

 Ondřej Surý -- Chief Science Officer
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/a6e0e70f/attachment.sig>

More information about the dns-operations mailing list