[dns-operations] DNS Attack over UDP fragmentation

Jim Reid jim at rfc1035.com
Wed Sep 4 15:00:41 UTC 2013


On 4 Sep 2013, at 15:34, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

>> Don't fragment at all, set TC=1 on responses which would cause UDP
>> or lower layer fragmantation 
> 
> Not obvious to implement, the application (the name server) typically
> does not know the path MTU before sending an UDP packet to a
> destination (it's the kernel's job).

That's quite right Stephane. However in these sorts of situations, ugly things like layering violations might have to be invoked: "To hell with PMTU, I'm going to truncate any DNS response that's more than N bytes, no matter what the max fragment size might be between here and the destination. Have a nice day."

I'm not suggesting that this is a viable long-term solution or even the silver bullet. It could however be a pragmatic way of damage limitation when an actual attack is in progress.


More information about the dns-operations mailing list