[dns-operations] DNS Attack over UDP fragmentation

Robert Edmonds edmonds at mycre.ws
Fri Sep 6 16:42:43 UTC 2013

Aaron Campbell wrote:
> Here is a thought, but I will defer to the protocol experts on plausibility.  The resolver knows the size of each DNS message it parses.  What if it didn't trust glue records contained within large (i.e., > 1400 bytes or so) responses?  In these cases, the resolver sends a separate query to resolve the dangling authority NS records.  This introduces overhead, but only for large replies.  It also makes a few assumptions, namely that the fragmentation point is something around 1500 bytes (and not something lower), and that the attack is only practical against the glue records, not the authority section.  May be able to play games with name compression there though… perhaps it is as least worth discussing as an additional barrier.

this sounds vaguely similar to unbound's "harden-referral-path" option,
though it applies to all lookups.

Robert Edmonds

More information about the dns-operations mailing list