[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

Xiang Li idealeer521 at gmail.com
Wed Sep 27 01:58:09 UTC 2023


Hi Stephane,

This is Xiang, the author of this paper.

For the off-path attack, DoT can protect the CDNS from being poisoned.
For the on-path attack, since the forwarding query is sent to the
attacker's server, only DNSSEC can mitigate the MaginotDNS.

Best,
Xiang

On Tue, Sep 26, 2023 at 11:42 PM Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:

> I'm reading the paper behind "MaginotDNS: Attacking the boundary of
> DNS caching protection"
> <
> https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/
> >
> <https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf>.
>
> Am I correct to think that forwarding from the CDNS to the upstream
> resolver with DoT (DNS over TLS) would be sufficient to disable the
> attack (even TCP or cookies would be enough if the attacker is
> off-path)?
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230927/717cff82/attachment.html>


More information about the dns-operations mailing list