[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

Grant Taylor gtaylor at tnetconsulting.net
Sat May 18 04:33:09 UTC 2019

On 5/17/19 4:50 PM, Ángel wrote:
> No. The client could be making more than one connection and, since 
> it has a non-expired dns answer for that host, instead of making a 
> superfluous dns query, connect directly, long after your firewall 
> considered that it already gave it plenty of time for the *first* 
> connection.

Good point.

> If you want to restrict the time the hole is open, you should change 
> the returned TTL to an appropriate value. But having the firewall 
> rule set to TTL+ε is the right call.

Thank you for the explanation.

I guess the exposure is also somewhat minimized by using a source and 
destination IP address pair.

That does make me wonder how QNAMEs with multiple A / AAAA records would 
be handled.  I assume that you would need to pinhole all IPs or return a 
single IP.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190517/33e98a14/attachment.bin>

More information about the dns-operations mailing list