[Pdns-dev] Re: [Pdns-users] PowerDNS Recursor 3.1.8-prerelease with EDNS-PING

bert hubert bert.hubert at netherlabs.nl
Sun Feb 8 01:29:40 CET 2009 

One small note - EDNS-PING is *not* yet an official standard. It is like
buying a '802.11N DRAFT' router!

But it is unlikely the technical details (wire format) of EDNS-PING will
change, since the specification is so simple.

	Bert

On Sun, Feb 08, 2009 at 01:22:29AM +0100, bert hubert wrote:
> Hi everybody,
> 
> Quoting from http://edns-ping.org :
> 
>    EDNS-PING is an option within the EDNS DNS framework which allows
>    nameservers to protect themselves from certain "spoofing" attacks.
> 
>    By default, responses to DNS questions are matched to their questions by
>    making sure they share the same DNS transaction ID, IP and network
>    endpoints.
> 
>    In certain scenarios, it may be feasible for an external attacker to
>    inject responses that artificially match the criteria outlined above.
> 
>    This problem would not occur if the DNS transaction ID would not have
>    been limited to 65536 distinct values.
> 
>    EDNS-PING in effect allows for a far longer DNS transaction ID, making it
>    infeasible for an external attacker to inject "fake" responses.
> 
> EDNS-PING is a work of David Ulevitch of OpenDNS, and of me. 
> 
> Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
> shipped with EDNS-PING support built in.
> 
> Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
> can make use of EDNS-PING to protect your DNS queries from spoofing.
> 
> Please find the snapshot on:
> http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2
> 
> To test, try to resolve 'www.edns-ping.org', and watch the log file, which
> should then contain the following message:
> 
> Feb 08 01:21:00 We welcome 85.17.219.217 to the land of EDNS-PING!
> 
> For more information, see http://edns-ping.org
> 
> PS: This is another very good reason to upgrade your authoritative PowerDNS
> servers to 2.9.22!
> 
> 	Bert
> 
> -- 
> http://www.PowerDNS.com      Open source, database driven DNS Software 
> http://netherlabs.nl              Open and Closed source services
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> !DSPAM:498e25f5300677472095810!

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-dev mailing list