<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
bert hubert wrote:
<blockquote cite="mid:20090208002940.GA30077@outpost.ds9a.nl"
type="cite">
<pre wrap="">One small note - EDNS-PING is *not* yet an official standard. It is like
buying a '802.11N DRAFT' router!
But it is unlikely the technical details (wire format) of EDNS-PING will
change, since the specification is so simple.
</pre>
</blockquote>
<br>
Bert,<br>
<br>
the two important questions to ask here are:<br>
<br>
- will this break any old/broken-but-common dns resolver implementation
out there?<br>
- will this help stop / prevent the recent DDoS dns-based attacks we've
all seen the past few weeks?<br>
<br>
Regards,<br>
<br>
Frank<br>
<br>
<blockquote cite="mid:20090208002940.GA30077@outpost.ds9a.nl"
type="cite">
<pre wrap=""> Bert
On Sun, Feb 08, 2009 at 01:22:29AM +0100, bert hubert wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi everybody,
Quoting from <a class="moz-txt-link-freetext" href="http://edns-ping.org">http://edns-ping.org</a> :
EDNS-PING is an option within the EDNS DNS framework which allows
nameservers to protect themselves from certain "spoofing" attacks.
By default, responses to DNS questions are matched to their questions by
making sure they share the same DNS transaction ID, IP and network
endpoints.
In certain scenarios, it may be feasible for an external attacker to
inject responses that artificially match the criteria outlined above.
This problem would not occur if the DNS transaction ID would not have
been limited to 65536 distinct values.
EDNS-PING in effect allows for a far longer DNS transaction ID, making it
infeasible for an external attacker to inject "fake" responses.
EDNS-PING is a work of David Ulevitch of OpenDNS, and of me.
Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
shipped with EDNS-PING support built in.
Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
can make use of EDNS-PING to protect your DNS queries from spoofing.
Please find the snapshot on:
<a class="moz-txt-link-freetext" href="http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2">http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2</a>
To test, try to resolve '<a class="moz-txt-link-abbreviated" href="http://www.edns-ping.org">www.edns-ping.org</a>', and watch the log file, which
should then contain the following message:
Feb 08 01:21:00 We welcome 85.17.219.217 to the land of EDNS-PING!
For more information, see <a class="moz-txt-link-freetext" href="http://edns-ping.org">http://edns-ping.org</a>
PS: This is another very good reason to upgrade your authoritative PowerDNS
servers to 2.9.22!
Bert
--
<a class="moz-txt-link-freetext" href="http://www.PowerDNS.com">http://www.PowerDNS.com</a> Open source, database driven DNS Software
<a class="moz-txt-link-freetext" href="http://netherlabs.nl">http://netherlabs.nl</a> Open and Closed source services
_______________________________________________
Pdns-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="http://mailman.powerdns.com/mailman/listinfo/pdns-users">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
!DSPAM:498e25f5300677472095810!
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
</body>
</html>