[dns-operations] Effect of NAT on DNS requests

Mark Andrews marka at isc.org
Fri Nov 18 23:48:34 UTC 2016

In message <20161118170812.1226028e at p50.localdomain>, John Kristoff writes:
> On Fri, 18 Nov 2016 22:41:01 +0000
> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > Umm.. seems not at all on my box. Anyone ever looked at this?
> You may have seen Appendexi A in IETF RFC 6056 - Port Randomization
> already, but perhaps you haven't seen this academic paper?
>   Security of Patched DNS, Herzberg and Shulman
>   <http://u.cs.biu.ac.il/~herzbea/security/12-04-derandomisation.pdf>
> John

Port randomisation isn't needed with DNS COOKIE.  This is supported
in BIND 9.11.0 (on by default) and BIND 9.10.4 (configure switch /
on by default in the Windows binaries we ship).  We are already
seeing support at the root and TLD levels.

For the Alexa top 1M DNS COOKIE support is just shy of 1% [1].

1976 of 223911 (0.88%) EDNS capable servers return a Server EDNS COOKIE option 

Additionally named can use responses from servers that echo EDNS options.


[1] https://ednscomp.isc.org/compliance/alexa1m-report.html
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list