[dns-operations] [Ext] Nameserver responses from different IP than destination of request
Paul Vixie
paul at redbarn.org
Wed Sep 9 09:02:25 UTC 2020
On Wed, Sep 09, 2020 at 10:15:49AM +1000, Mark Andrews wrote:
>
> Which in part is why I came up with DNS COOKIES. As long as the server
> supports DNS COOKIE you can use a single socket and have more than enough
> entropy to defeat off path attacks. You can fall back to using seperate
> sockets for servers that don???t support DNS COOKIES.
>
+1. DNS COOKIE was a brilliant bit of work. but you should mention the RFC#
and perhaps say which well known DNS implementations support it, to be more
convincing to people who are not me.
--
Paul Vixie
More information about the dns-operations
mailing list