<div dir="ltr">Hi Stephane,<div><br></div><div>This is Xiang, the author of this paper.</div><div><br></div><div>For the off-path attack, DoT can protect the CDNS from being poisoned.</div><div>For the on-path attack, since the forwarding query is sent to the</div><div>attacker's server, only DNSSEC can mitigate the MaginotDNS.</div><div><br></div><div>Best,</div><div>Xiang</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 26, 2023 at 11:42 PM Stephane Bortzmeyer <<a href="mailto:bortzmeyer@nic.fr">bortzmeyer@nic.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm reading the paper behind "MaginotDNS: Attacking the boundary of<br>
DNS caching protection"<br>
<<a href="https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/" rel="noreferrer" target="_blank">https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/</a>><br>
<<a href="https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf" rel="noreferrer" target="_blank">https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf</a>>.<br>
<br>
Am I correct to think that forwarding from the CDNS to the upstream<br>
resolver with DoT (DNS over TLS) would be sufficient to disable the<br>
attack (even TCP or cookies would be enough if the attacker is<br>
off-path)?<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>