[dns-operations] DNS Attack over UDP fragmentation

Jaroslav Benkovský jaroslav.benkovsky at nic.cz
Wed Sep 4 16:02:20 UTC 2013

On 09/04/2013 05:48 PM, Francis Dupont wrote:
>  In your previous mail you wrote:
>>  When these are defined, implemented, and deployed, all DNS messages
>>  can be sent with DF=1 or IPv6 fragmentation option can be
>>  deprecated.
> => if I remember well the attack is for IPv4 (it exchanges the random
> DNS ID and port against the random IP ID which is 32 bit long for IPv6
> (so bigger/safer) and 16 bit long for IPv4).

Read the paper, the authors mention that the recommendation for IP-ID on
IPv6 is a sequential value, so its entropy is meager at best. Also some
implementations on IPv4 use sequential value or per destination counters.

Jaroslav Benkovsky

More information about the dns-operations mailing list