[Pdns-dev] PowerDNS Recursor 3.1.8-prerelease with EDNS-PING

bert hubert bert.hubert at netherlabs.nl
Sun Feb 8 01:22:29 CET 2009

Hi everybody,

Quoting from http://edns-ping.org :

   EDNS-PING is an option within the EDNS DNS framework which allows
   nameservers to protect themselves from certain "spoofing" attacks.

   By default, responses to DNS questions are matched to their questions by
   making sure they share the same DNS transaction ID, IP and network

   In certain scenarios, it may be feasible for an external attacker to
   inject responses that artificially match the criteria outlined above.

   This problem would not occur if the DNS transaction ID would not have
   been limited to 65536 distinct values.

   EDNS-PING in effect allows for a far longer DNS transaction ID, making it
   infeasible for an external attacker to inject "fake" responses.

EDNS-PING is a work of David Ulevitch of OpenDNS, and of me. 

Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
shipped with EDNS-PING support built in.

Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
can make use of EDNS-PING to protect your DNS queries from spoofing.

Please find the snapshot on:

To test, try to resolve 'www.edns-ping.org', and watch the log file, which
should then contain the following message:

Feb 08 01:21:00 We welcome to the land of EDNS-PING!

For more information, see http://edns-ping.org

PS: This is another very good reason to upgrade your authoritative PowerDNS
servers to 2.9.22!


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-dev mailing list