[dns-operations] Spoofing DNS with fragments

Florian Weimer fweimer at redhat.com
Mon Sep 10 21:31:52 UTC 2018


On 09/10/2018 10:49 PM, bert hubert wrote:
> Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> wrote up this piecehttps://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> on the research by Haya Shulman and her team on spoofing DNS with fragments.

This is mostly a solved problem from the point of view of the low-level 
infrastructure: Current Linux has mitigations DNS servers can use to 
avoid fragmented responses for reasonable response buffer sizes (such as 
1200 bytes) even when ICMP path MTU poisoning is used.

The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the 
easy to use variant) in DNS software and lower the buffer size to 1200 
bytes.  I could arrange for the Linux kernel changes, so upgrading DNS 
software should be rather smooth today, but it still puzzles me that DNS 
vendors ignored this issue, despite it being communicated clearly and 
widely as early as 2008.

By the way, I'm not sure if DNSSEC mitigates the denial-of-service 
aspect of this vulnerability.  If this attack is simple enough to carry 
out, people will use it to install bad glue for DNSSEC-secured domains, 
blocking successful resolution, just for fun.  There is no alternative 
to lowering the buffer size *and* avoiding fragmentation.

Thanks,
Florian


More information about the dns-operations mailing list