[dns-operations] Effect of NAT on DNS requests
Mark Andrews
marka at isc.org
Fri Nov 18 23:48:34 UTC 2016
In message <20161118170812.1226028e at p50.localdomain>, John Kristoff writes:
> On Fri, 18 Nov 2016 22:41:01 +0000
> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>
> > Umm.. seems not at all on my box. Anyone ever looked at this?
>
> You may have seen Appendexi A in IETF RFC 6056 - Port Randomization
> already, but perhaps you haven't seen this academic paper?
>
> Security of Patched DNS, Herzberg and Shulman
> <http://u.cs.biu.ac.il/~herzbea/security/12-04-derandomisation.pdf>
>
> John
Port randomisation isn't needed with DNS COOKIE. This is supported
in BIND 9.11.0 (on by default) and BIND 9.10.4 (configure switch /
on by default in the Windows binaries we ship). We are already
seeing support at the root and TLD levels.
For the Alexa top 1M DNS COOKIE support is just shy of 1% [1].
1976 of 223911 (0.88%) EDNS capable servers return a Server EDNS COOKIE option
Additionally named can use responses from servers that echo EDNS options.
Mark
[1] https://ednscomp.isc.org/compliance/alexa1m-report.html
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list