[dns-operations] Spoofing DNS with fragments

Hellqvist, Björn bjorn.hellqvist at teliacompany.com
Wed Sep 12 12:32:54 UTC 2018


Hi,

As an larger ISP and Carrier operator, our resolvers towards our customers have been using minimal responses and max UDP size of 1324 for years. (my guess is 15+ years). 

1324 was selected since it was the largest UDP packet size that did not trigger a bug in a function in the routers we was using at that time. 

But since most of the responses are smaller than that, we have never bothered to remove that limit. We only see really small amount of TCP requests and with a quick calculation it is less than 0.025%. 

The only larger problem I remember that we have encounter with the lowered max size was when a very large smart phone vendor was sending a very large response with a lot of A records during an update of their firmware, presumably to balance the load, and that some brands of home broadband routers at that time thought that DNS was only using UDP. 

BR,
Bjorn Hellqvist
Senior System Expert (Internet & DNS)
Telia Company
Solna, Sweden




> -----Original Message-----
> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
> Of Tony Finch
> Sent: den 12 september 2018 12:37
> To: dns-operations <dns-operations at dns-oarc.net>
> Subject: Re: [dns-operations] Spoofing DNS with fragments
> 
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > With broad adoption of DNSCurve, TLS, HTTPS, ... not very likely the
> > TSIG suggestion might actually be possible to get deployed.  Or, as
> > suggested in this thread, we could configure our servers to cap UDP
> > EDNS buffer sizes at ~1200 bytes (perhaps with the exception of
> > loopback interface clients), thereby closing the opportunity for
> > forgeries of predicted fragments, reducing reported issues with DNSSEC
> > over IPv6 and capping response amplification.
> 
> Yes, we should make more effort to deprecate fragmented DNS.
> 
> https://mailarchive.ietf.org/arch/msg/dnsop/xnJjuOFRE4IiT7uqEFyqhYKKT7c
> 
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ democracy, participation,
> and the co-operative principle
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list