[dns-operations] summary of recent vulnerabilities in DNS security.

Hannes Frederic Sowa hannes at stressinduktion.org
Wed Jan 15 19:11:16 UTC 2014

On Wed, Jan 15, 2014 at 10:42:21AM -0800, Colm MacCárthaigh wrote:
> On Wed, Jan 15, 2014 at 5:06 AM, Hannes Frederic Sowa <
> hannes at stressinduktion.org> wrote:
> >
> > Would it be of interest to get the state of fragmentation on incoming
> > datagrams by e.g. ancillary data on recvmsg so resolvers could check if
> > the incoming packet was fragmented then drop and retry if it was below
> > a certain size?
> >
> Yes, I'd appreciate that capability at least. It would also be nice to be
> able to reject re-assembled datagrams whose fragments had different IP TTL
> values.

IIRC this was already under discussion and at that time was not considered
beneficial (I don't remember where).

For inclusion to the core stack we would need some hard facts that
different TTLs on fragments are very unlikely on the internet (which
I doubt).

A netfilter match should be doable nonetheless.



More information about the dns-operations mailing list