[dns-operations] Spoofing DNS with fragments
fweimer at redhat.com
Mon Sep 10 21:31:52 UTC 2018
On 09/10/2018 10:49 PM, bert hubert wrote:
> Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> wrote up this piecehttps://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> on the research by Haya Shulman and her team on spoofing DNS with fragments.
This is mostly a solved problem from the point of view of the low-level
infrastructure: Current Linux has mitigations DNS servers can use to
avoid fragmented responses for reasonable response buffer sizes (such as
1200 bytes) even when ICMP path MTU poisoning is used.
The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the
easy to use variant) in DNS software and lower the buffer size to 1200
bytes. I could arrange for the Linux kernel changes, so upgrading DNS
software should be rather smooth today, but it still puzzles me that DNS
vendors ignored this issue, despite it being communicated clearly and
widely as early as 2008.
By the way, I'm not sure if DNSSEC mitigates the denial-of-service
aspect of this vulnerability. If this attack is simple enough to carry
out, people will use it to install bad glue for DNSSEC-secured domains,
blocking successful resolution, just for fun. There is no alternative
to lowering the buffer size *and* avoiding fragmentation.
More information about the dns-operations