DNS query repetition ( was DNS Hardening )

George Barwood george.barwood at blueyonder.co.uk
Sat Aug 8 15:44:15 CDT 2009


In an earlier thread, Jon Levine asked

> Other than DNSSEC, I'm aware of these relatively simple hacks to add 
> entropy to DNS queries.

> 1) Random query ID

> 2) Random source port

> 3) Random case in queries, e.g. GooGLe.CoM

> 4) Ask twice (with different values for the first three hacks) and compare 
> the answers

> I presume everyone is doing the first two.  Any experience with the other 
> two to report?

I have implemented a (public domain) DNS cache "GbDns" that implements both 
3 and 4 ( and also DnsCurve ).

For non-deterministic authorities, such as Akamai, more that 2 queries are 
needed, and some relatively complex code.

It turns out to be completely practical, albeit leading to an increase in 
the number of packets.

Source code and a link to an IETF draft that describes the method is at

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/

Regards,
George Barwood

( New subscriber, hence the new thread ) 







More information about the NANOG mailing list