[dns-operations] dropping fragmented requests

Shane Kerr shane at time-travellers.org
Mon Apr 11 15:09:10 UTC 2016


David,

At 2016-04-11 10:05:21 -0400
David Conrad <drc at virtualized.org> wrote:

> > I think you're pretty safe dropping query fragments.  
> 
> Given our painful collective experience with making assumptions about
> what is "safe", I think this is bad advice.

I'll grant that it depends on your tolerance for breakage and the
amount of time you spend caring & feeding for your DNS.

Even though I have worked at DNS companies for the past several years,
at one of them we had to deal with a firewall that was configured to
drop IPv4 fragments - which broke *answers* when DNSSEC started being
adopted.

Still, it was quickly identified and fixed. If it let the network
administrators sleep easier for a few years until that point, possibly
it was a worthwhile trade-off. (Although if the network administrators
had asked I would not have advised dropping fragmented *answers*, even
then...)

Note finally that there are attacks against DNS using IP fragmentation
that are actually very difficult to avoid:

https://ripe67.ripe.net/presentations/240-ipfragattack.pdf

https://www.ietf.org/proceedings/87/slides/slides-87-saag-4.pdf

:(

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160411/1edee40e/attachment.sig>


More information about the dns-operations mailing list