[Pdns-users] PowerDNS Recursor 3.1.8-prerelease with EDNS-PING
bert.hubert at netherlabs.nl
Sun Feb 8 00:29:40 UTC 2009
One small note - EDNS-PING is *not* yet an official standard. It is like
buying a '802.11N DRAFT' router!
But it is unlikely the technical details (wire format) of EDNS-PING will
change, since the specification is so simple.
On Sun, Feb 08, 2009 at 01:22:29AM +0100, bert hubert wrote:
> Hi everybody,
> Quoting from http://edns-ping.org :
> EDNS-PING is an option within the EDNS DNS framework which allows
> nameservers to protect themselves from certain "spoofing" attacks.
> By default, responses to DNS questions are matched to their questions by
> making sure they share the same DNS transaction ID, IP and network
> In certain scenarios, it may be feasible for an external attacker to
> inject responses that artificially match the criteria outlined above.
> This problem would not occur if the DNS transaction ID would not have
> been limited to 65536 distinct values.
> EDNS-PING in effect allows for a far longer DNS transaction ID, making it
> infeasible for an external attacker to inject "fake" responses.
> EDNS-PING is a work of David Ulevitch of OpenDNS, and of me.
> Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
> shipped with EDNS-PING support built in.
> Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
> can make use of EDNS-PING to protect your DNS queries from spoofing.
> Please find the snapshot on:
> To test, try to resolve 'www.edns-ping.org', and watch the log file, which
> should then contain the following message:
> Feb 08 01:21:00 We welcome 184.108.40.206 to the land of EDNS-PING!
> For more information, see http://edns-ping.org
> PS: This is another very good reason to upgrade your authoritative PowerDNS
> servers to 2.9.22!
> http://www.PowerDNS.com Open source, database driven DNS Software
> http://netherlabs.nl Open and Closed source services
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-users