[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Mon Sep 10 21:39:36 UTC 2018

And it is totally defendable using TSIG with a well known key to secure the transaction.

e.g. name “.”, algorithm hmac-sha256, secret “all zero bits”.

key "." {
        algorithm hmac-sha256;

If you want more random bits then the current time and id give add them to the other data when constructing the initial TSIG requests.  Adding a 64 bit nonce in the field will work.

Upgrade clients to use TSIG by default with this key.  Add the key to existing server’s configuration.  Build it in to new servers.

Handle the expected error codes.  Remember when you have success. Use the last remaining
DNS header bit to signal that you support this protocol extension.


> On 11 Sep 2018, at 6:49 am, bert hubert <bert.hubert at powerdns.com> wrote:
> Hi everyone,
> Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> wrote up this piece https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> on the research by Haya Shulman and her team on spoofing DNS with fragments.
> In October they will present about this over at ACM Conference on Computer and Communications
> Security. 
> The team has done a demo of the technique for The Register journalist Richard
> Chirgwin, so it likely is possible to do under at least somewhat real life
> conditions. 
> More details can be found within the blog post.
> 	Bert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list