DNS hardening, was Re: Dan Kaminsky
bert.hubert at netherlabs.nl
Wed Aug 5 12:12:38 CDT 2009
On Wed, Aug 5, 2009 at 6:48 PM, John Levine<johnl at iecc.com> wrote:
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and
> compare the answers
> I presume everyone is doing the first two. Any experience with the
> other two to report?
3 works, but offers zero protection against 'kaminsky spoofing the
root' since you can't fold the case of "123456789.". And the root is
4 breaks on Akamai and many other CDNs. Even 'ask thrice, and take the
majority answer' doesn't work there.
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
More information about the NANOG