[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 11 06:58:36 UTC 2013

On Tue, Sep 10, 2013 at 07:14:04PM +0300,
 Haya Shulman <haya.shulman at gmail.com> wrote 
 a message of 187 lines which said:

> > the trouble with randomizing the IPID is that this would require
> > kernel-level patches (as opposed to just DNS server software
> > upgrade), I believe.  This makes it somewhat harder to deploy.
> >
> Can you please extend? In particular, why is it more difficult (and
> how much more difficult is it) to deploy by distributing a kernel
> patch?

Sociological reasons: it's a different bunch of people. On this list,
you have many (most?) of the persons who actually write DNS
software. You can get in touch with them and convince them. Kernel
people are a different crowd, quite separate.

Practical reasons: people hesitate more to change the kernel (because
it can lead to various trouble, difficult to fix, specially remotely)
than to change the DNS server (where you can always backtrack, in the
worst case).

Security researchers seem to always think that patching software is
simple. Operations people know otherwise.

More information about the dns-operations mailing list