[dns-operations] Spoofing DNS with fragments

Petr Špaček petr.spacek at nic.cz
Wed Sep 12 10:20:16 UTC 2018


On 11/09/2018 18:03, Robert Edmonds wrote:
> Florian Weimer wrote:
>> On 09/10/2018 10:49 PM, bert hubert wrote:
>>> Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
>>> wrote up this piecehttps://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
>>> on the research by Haya Shulman and her team on spoofing DNS with fragments.
>>
>> This is mostly a solved problem from the point of view of the low-level
>> infrastructure: Current Linux has mitigations DNS servers can use to avoid
>> fragmented responses for reasonable response buffer sizes (such as 1200
>> bytes) even when ICMP path MTU poisoning is used.
>>
>> The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the easy to
>> use variant) in DNS software and lower the buffer size to 1200 bytes.  I
>> could arrange for the Linux kernel changes, so upgrading DNS software should
>> be rather smooth today, but it still puzzles me that DNS vendors ignored
>> this issue, despite it being communicated clearly and widely as early as
>> 2008.
> 
> It looks like at least some DNS server implementations set the
> IP_PMTUDISC_OMIT flag, e.g.:
> 
> https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0
> 
> https://gitlab.isc.org/isc-projects/bind9/commit/a61f252391cd3a696ac7c31a468d86beb51f69e6
> 
> But I don't believe they do the second part of your recommendation, at
> least not by default.

BTW I was experimenting with EDNS buffer size 1232 B once and as far as
I remember it broke non-negligible number of resolution attempts so for
now we decided to keep our huge default (4k).

Unfortunatelly I cannot find notes from my previous experiment so I do
not have data to share ...

-- 
Petr Špaček  @  CZ.NIC



More information about the dns-operations mailing list