[dns-operations] DNS Attack over UDP fragmentation

Francis Dupont Francis.Dupont at fdupont.fr
Wed Sep 4 15:48:06 UTC 2013


 In your previous mail you wrote:

>  When these are defined, implemented, and deployed, all DNS messages
>  can be sent with DF=1 or IPv6 fragmentation option can be
>  deprecated.

=> if I remember well the attack is for IPv4 (it exchanges the random
DNS ID and port against the random IP ID which is 32 bit long for IPv6
(so bigger/safer) and 16 bit long for IPv4). And of course it doesn't
work with DNSSEC or anything which is not at the end of the response
(so the reference to the Kaminsky's attack is really relevant).

Regards

Francis.Dupont at fdupont.fr



More information about the dns-operations mailing list