DNS query repetition ( was DNS Hardening )
George Barwood
george.barwood at blueyonder.co.uk
Sat Aug 8 20:44:15 UTC 2009
In an earlier thread, Jon Levine asked
> Other than DNSSEC, I'm aware of these relatively simple hacks to add
> entropy to DNS queries.
> 1) Random query ID
> 2) Random source port
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and compare
> the answers
> I presume everyone is doing the first two. Any experience with the other
> two to report?
I have implemented a (public domain) DNS cache "GbDns" that implements both
3 and 4 ( and also DnsCurve ).
For non-deterministic authorities, such as Akamai, more that 2 queries are
needed, and some relatively complex code.
It turns out to be completely practical, albeit leading to an increase in
the number of packets.
Source code and a link to an IETF draft that describes the method is at
http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/
Regards,
George Barwood
( New subscriber, hence the new thread )
More information about the NANOG
mailing list