DNS hardening, was Re: Dan Kaminsky

bert hubert bert.hubert at netherlabs.nl
Wed Aug 5 12:12:38 CDT 2009


On Wed, Aug 5, 2009 at 6:48 PM, John Levine<johnl at iecc.com> wrote:
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and
> compare the answers
>
> I presume everyone is doing the first two.  Any experience with the
> other two to report?

3 works, but offers zero protection against 'kaminsky spoofing the
root' since you can't fold the case of "123456789.". And the root is
the goal.
4 breaks on Akamai and many other CDNs. Even 'ask thrice, and take the
majority answer' doesn't work there.

5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.

   Bert




More information about the NANOG mailing list