[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] Enforcing clients to use TCP for DNS queries
From: Oguz Yilmaz <oguzyilmazlist () gmail ! com>
Date: 2012-06-06 11:10:12
Message-ID: CAAo+KFkzgcZiOS0akXz-Zyp904uUb+QK7RdQToyqVJ2KCNAyoA () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jun 6, 2012 at 12:36 AM, Peter van Dijk
<peter.van.dijk@netherlabs.nl> wrote:
> Hello Oguz,
>
> On Jun 5, 2012, at 11:52 , Oguz Yilmaz wrote:
>
> > UDP DNS is open to spoofing. Setting TC bit and requesting TCP query
> > may be a mechanism for client identity authenticity. However, what do
> > you think about interoperability of clients when they get a re-query
> > request through TC bit?
>
>
> Saying UDP DNS is open to spoofing is a bit harsh - ID and port should not be very \
> predictable in most situations, and this should help.
> Additionally, as long as your plan is to send UDP TC packets so that people will \
> fall back to TCP, the spoofer is just fighting against your TC packet instead of \
> fighting against your UDP-with-content response. I'm not sure this would add any \
> security.
Actually my point is to get rid of udp level IP spoofing.
> And on a sidenote, it is not uncommon for cheap home routers to not support TCP DNS \
> at all. My Fritz!Box at home did not support TCP DNS until a month ago, for \
> example.
This is really important. If variety of routers also have this
problem, the method is open to new connection problems.
Thanks.
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic