[dns-operations] DNS Attack over UDP fragmentation

Keith Mitchell keith at dns-oarc.net
Mon Sep 9 15:27:21 UTC 2013

On 09/09/2013 06:07 AM, Haya Shulman wrote:

> For instance, DNS-OARC does not detect port prediction attacks, and 
> reports clients as secure, while they are vulnerable to attacks.

OARC does many things, I assume here you are referring to our port
entropy tester:


> I contacted the maintainers of DNS-OARC and notified them of this 
> vulnerability last year, and proposed a simple fix to the problem...
> but the system was not updated and still reports vulnerable systems
> as secure, so relying on its feedback may be risky.

I didn't see that communication, so I can only assume it pre-dated my
current OARC tenure. Thanks for the heads-up and apologies it did not
get responded to. If you could please re-send me what you sent off-list,
we'll see about getting your proposed fix incorporated into the tool
and/or an appropriate caveat meantime.


More information about the dns-operations mailing list