[dns-operations] summary of recent vulnerabilities in DNS security.

Hannes Frederic Sowa hannes at stressinduktion.org
Wed Jan 15 23:42:36 UTC 2014


On Wed, Jan 15, 2014 at 03:33:02PM -0800, Colm MacCárthaigh wrote:
> For DNS, we have the option to respond with a TC=1 response, so if I
> detected a datagram with suspicious or mismatching TTLs, TC=1 is a decent
> workaround. TCP is then much more robust against intermediary spoofing. I
> can't force the clients to use DF though.

That would need to be implemented as cmsg access ancillary data and cannot
be done as a netfilter module (unless the DNS packet generation is also
implemented as netfilter target). Because this touches core code, this
really needs strong arguments to get accepted. Maybe this can be done
as part of the socket fragmentation notification work. I'll have a look
but want to think about how easy this can get circumvented first. Maybe
you already thought about that?

Thanks,

  Hannes




More information about the dns-operations mailing list