[dns-operations] Spoofing DNS with fragments
Robert Edmonds
edmonds at mycre.ws
Tue Sep 11 16:03:04 UTC 2018
Florian Weimer wrote:
> On 09/10/2018 10:49 PM, bert hubert wrote:
> > Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> > wrote up this piecehttps://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> > on the research by Haya Shulman and her team on spoofing DNS with fragments.
>
> This is mostly a solved problem from the point of view of the low-level
> infrastructure: Current Linux has mitigations DNS servers can use to avoid
> fragmented responses for reasonable response buffer sizes (such as 1200
> bytes) even when ICMP path MTU poisoning is used.
>
> The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the easy to
> use variant) in DNS software and lower the buffer size to 1200 bytes. I
> could arrange for the Linux kernel changes, so upgrading DNS software should
> be rather smooth today, but it still puzzles me that DNS vendors ignored
> this issue, despite it being communicated clearly and widely as early as
> 2008.
It looks like at least some DNS server implementations set the
IP_PMTUDISC_OMIT flag, e.g.:
https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0
https://gitlab.isc.org/isc-projects/bind9/commit/a61f252391cd3a696ac7c31a468d86beb51f69e6
But I don't believe they do the second part of your recommendation, at
least not by default.
--
Robert Edmonds
More information about the dns-operations
mailing list