[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection
Ralf Weber
dns at fl1ger.de
Wed Sep 27 07:38:57 UTC 2023
Moin!
On 27 Sep 2023, at 3:58, Xiang Li wrote:
> Hi Stephane,
>
> This is Xiang, the author of this paper.
>
> For the off-path attack, DoT can protect the CDNS from being poisoned.
> For the on-path attack, since the forwarding query is sent to the
> attacker's server, only DNSSEC can mitigate the MaginotDNS.
I don’t think this is true otherwise all resolver implementations would
have been affected and not just a few. If you are on path direct behind
the resolver of course all bets are off, but if you are on path just
between the resolver and the forwarder those resolvers that are more
cautious in what cache information they use for iterative queries are not
vulnerable.
I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
Recursor are not mentioned in the paper because they were not vulnerable.
I agree that DNSSEC can fully mitigate it and should be used. Any
encrypted transport to a forwarder also would work, but IMHO it probably
would be better to not use forwarding at all.
So long
-Ralf
——-
Ralf Weber
More information about the dns-operations
mailing list