[Pdns-users] PowerDNS Recursor 3.1.8-prerelease with EDNS-PING

Frank Louwers frank at openminds.be
Mon Feb 9 09:22:23 UTC 2009 


bert hubert wrote:
> One small note - EDNS-PING is *not* yet an official standard. It is like
> buying a '802.11N DRAFT' router!
>
> But it is unlikely the technical details (wire format) of EDNS-PING will
> change, since the specification is so simple.
>
>    

Bert,

the two important questions to ask here are:

- will this break any old/broken-but-common dns resolver implementation 
out there?
- will this help stop / prevent the recent DDoS dns-based attacks we've 
all seen the past few weeks?

Regards,

Frank

> 	Bert
>
> On Sun, Feb 08, 2009 at 01:22:29AM +0100, bert hubert wrote:
>    
>> Hi everybody,
>>
>> Quoting from http://edns-ping.org :
>>
>>     EDNS-PING is an option within the EDNS DNS framework which allows
>>     nameservers to protect themselves from certain "spoofing" attacks.
>>
>>     By default, responses to DNS questions are matched to their questions by
>>     making sure they share the same DNS transaction ID, IP and network
>>     endpoints.
>>
>>     In certain scenarios, it may be feasible for an external attacker to
>>     inject responses that artificially match the criteria outlined above.
>>
>>     This problem would not occur if the DNS transaction ID would not have
>>     been limited to 65536 distinct values.
>>
>>     EDNS-PING in effect allows for a far longer DNS transaction ID, making it
>>     infeasible for an external attacker to inject "fake" responses.
>>
>> EDNS-PING is a work of David Ulevitch of OpenDNS, and of me.
>>
>> Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
>> shipped with EDNS-PING support built in.
>>
>> Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
>> can make use of EDNS-PING to protect your DNS queries from spoofing.
>>
>> Please find the snapshot on:
>> http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2
>>
>> To test, try to resolve 'www.edns-ping.org', and watch the log file, which
>> should then contain the following message:
>>
>> Feb 08 01:21:00 We welcome 85.17.219.217 to the land of EDNS-PING!
>>
>> For more information, see http://edns-ping.org
>>
>> PS: This is another very good reason to upgrade your authoritative PowerDNS
>> servers to 2.9.22!
>>
>> 	Bert
>>
>> -- 
>> http://www.PowerDNS.com      Open source, database driven DNS Software
>> http://netherlabs.nl              Open and Closed source services
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>>
>> !DSPAM:498e25f5300677472095810!
>>      
>
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20090209/c0b07f51/attachment-0001.html>

More information about the Pdns-users mailing list