[dns-operations] [Ext] Nameserver responses from different IP than destination of request

Paul Vixie paul at redbarn.org
Wed Sep 9 09:02:25 UTC 2020


On Wed, Sep 09, 2020 at 10:15:49AM +1000, Mark Andrews wrote:
> 
> Which in part is why I came up with DNS COOKIES.  As long as the server
> supports DNS COOKIE you can use a single socket and have more than enough
> entropy to defeat off path attacks.  You can fall back to using seperate
> sockets for servers that don???t support DNS COOKIES.
> 

+1. DNS COOKIE was a brilliant bit of work. but you should mention the RFC#
and perhaps say which well known DNS implementations support it, to be more
convincing to people who are not me.

-- 
Paul Vixie



More information about the dns-operations mailing list