[dns-operations] dropping fragmented requests
Shane Kerr
shane at time-travellers.org
Mon Apr 11 15:09:10 UTC 2016
David,
At 2016-04-11 10:05:21 -0400
David Conrad <drc at virtualized.org> wrote:
> > I think you're pretty safe dropping query fragments.
>
> Given our painful collective experience with making assumptions about
> what is "safe", I think this is bad advice.
I'll grant that it depends on your tolerance for breakage and the
amount of time you spend caring & feeding for your DNS.
Even though I have worked at DNS companies for the past several years,
at one of them we had to deal with a firewall that was configured to
drop IPv4 fragments - which broke *answers* when DNSSEC started being
adopted.
Still, it was quickly identified and fixed. If it let the network
administrators sleep easier for a few years until that point, possibly
it was a worthwhile trade-off. (Although if the network administrators
had asked I would not have advised dropping fragmented *answers*, even
then...)
Note finally that there are attacks against DNS using IP fragmentation
that are actually very difficult to avoid:
https://ripe67.ripe.net/presentations/240-ipfragattack.pdf
https://www.ietf.org/proceedings/87/slides/slides-87-saag-4.pdf
:(
Cheers,
--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160411/1edee40e/attachment.sig>
More information about the dns-operations
mailing list