[dns-operations] Effect of NAT on DNS requests
marka at isc.org
Fri Nov 18 23:48:34 UTC 2016
In message <20161118170812.1226028e at p50.localdomain>, John Kristoff writes:
> On Fri, 18 Nov 2016 22:41:01 +0000
> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > Umm.. seems not at all on my box. Anyone ever looked at this?
> You may have seen Appendexi A in IETF RFC 6056 - Port Randomization
> already, but perhaps you haven't seen this academic paper?
> Security of Patched DNS, Herzberg and Shulman
Port randomisation isn't needed with DNS COOKIE. This is supported
in BIND 9.11.0 (on by default) and BIND 9.10.4 (configure switch /
on by default in the Windows binaries we ship). We are already
seeing support at the root and TLD levels.
For the Alexa top 1M DNS COOKIE support is just shy of 1% .
1976 of 223911 (0.88%) EDNS capable servers return a Server EDNS COOKIE option
Additionally named can use responses from servers that echo EDNS options.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations