[dns-operations] summary of recent vulnerabilities in DNS security.

Hannes Frederic Sowa hannes at stressinduktion.org
Fri Feb 14 10:25:39 UTC 2014

On Thu, Jan 16, 2014 at 12:42:36AM +0100, Hannes Frederic Sowa wrote:
> On Wed, Jan 15, 2014 at 03:33:02PM -0800, Colm MacCárthaigh wrote:
> > For DNS, we have the option to respond with a TC=1 response, so if I
> > detected a datagram with suspicious or mismatching TTLs, TC=1 is a decent
> > workaround. TCP is then much more robust against intermediary spoofing. I
> > can't force the clients to use DF though.
> That would need to be implemented as cmsg access ancillary data and cannot
> be done as a netfilter module (unless the DNS packet generation is also
> implemented as netfilter target). Because this touches core code, this
> really needs strong arguments to get accepted. Maybe this can be done
> as part of the socket fragmentation notification work. I'll have a look
> but want to think about how easy this can get circumvented first. Maybe
> you already thought about that?

If my DTLS experiments turn out to be useable I guess I will add this
feature because I would favour better estimated mtu limits during the

As a new socket option would need to be designed for that, I guess
a flags field indicating a mismatch on the ttl on incoming fragments
wouldn't hurt.



More information about the dns-operations mailing list