[dns-operations] Spoofing DNS with fragments

Robert Edmonds edmonds at mycre.ws
Tue Sep 11 16:03:04 UTC 2018


Florian Weimer wrote:
> On 09/10/2018 10:49 PM, bert hubert wrote:
> > Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> > wrote up this piecehttps://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> > on the research by Haya Shulman and her team on spoofing DNS with fragments.
> 
> This is mostly a solved problem from the point of view of the low-level
> infrastructure: Current Linux has mitigations DNS servers can use to avoid
> fragmented responses for reasonable response buffer sizes (such as 1200
> bytes) even when ICMP path MTU poisoning is used.
> 
> The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the easy to
> use variant) in DNS software and lower the buffer size to 1200 bytes.  I
> could arrange for the Linux kernel changes, so upgrading DNS software should
> be rather smooth today, but it still puzzles me that DNS vendors ignored
> this issue, despite it being communicated clearly and widely as early as
> 2008.

It looks like at least some DNS server implementations set the
IP_PMTUDISC_OMIT flag, e.g.:

https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0

https://gitlab.isc.org/isc-projects/bind9/commit/a61f252391cd3a696ac7c31a468d86beb51f69e6

But I don't believe they do the second part of your recommendation, at
least not by default.

-- 
Robert Edmonds



More information about the dns-operations mailing list