[dns-operations] DNS Attack over UDP fragmentation

[kato at wide.ad.jp]

Folks,

A few years ago, I had an informal conversation with Dr. Vixie, and he
mentioned he could work a little bit more on DNS level fragmentation
(protocol modification required, however).

At a glance, we may use EDNS0 variable part to represent DNS level
fragmentation information as well as additional bits of extended ID,
etc. There may be much better modifications.

When these are defined, implemented, and deployed, all DNS messages
can be sent with DF=1 or IPv6 fragmentation option can be
deprecated. The question is deployment, while it may be easier to use
DNSSEC as operators may just upgrade the software. Even now, only 2/3
queries to one of the Root DNS servers are with EDNS0...

-- Akira Kato, WIDE Project

From: Jelte Jansen <jelte.jansen at sidn.nl>
Subject: Re: [dns-operations] DNS Attack over UDP fragmentation
Date: Wed, 4 Sep 2013 16:56:39 +0200

> 
> On 09/04/2013 04:50 PM, Ondřej Surý wrote:
>> BTW just to complete my question in first email - is there a agreement that this is serious and needs to be addressed?
>> 
> 
> Just had a quick read and here are some random thoughts (staying out of
> solution space for now):
> 
> Fragmentation has long been known to be a security hazard, so I
> certainly think this is plausible. The initial requirements to pull this
> off seem a bit more than for the original attack (however once they are
> there it is easier). Funny how having DNSSEC but not validating it makes
> it worse (and something to remember when turning on NTA). Also reminds
> me to look at the tcp-only thing again.
> 
> I'd love to see a PoC and try it out here.
> 
> Jelte
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs