[dns-operations] DNS Attack over UDP fragmentation

Aaron Campbell aaron at arbor.net
Sun Sep 8 14:31:16 UTC 2013


On 2013-09-07, at 4:11 PM, Paul Wouters <paul at nohats.ca> wrote:

>>> this sounds vaguely similar to unbound's "harden-referral-path" option,
>>> though it applies to all lookups.
>> 
>> I researched this, and found that it was first described here:
>> 
>> http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01#section-3.3
>> 
>> The option is currently marked "experimental" due to not being RFC standard, and performance concerns.  If the option were applied only to large responses (specifically to mitigate this type of attack), that would reduce the performance impact.
> 
> This option has been enabled for years in the RHEL/EPEL and Fedora
> standard configurations of unbound.

That would be very interesting if Unbound were the default DNS server in these dists, but I assume it is BIND?

-Aaron


More information about the dns-operations mailing list