[Pdns-users] Enforcing clients to use TCP for DNS queries

Peter van Dijk peter.van.dijk at netherlabs.nl
Tue Jun 5 21:36:14 UTC 2012


Hello Oguz,

On Jun 5, 2012, at 11:52 , Oguz Yilmaz wrote:

> UDP DNS is open to spoofing. Setting TC bit and requesting TCP query
> may be a mechanism for client identity authenticity. However, what do
> you think about interoperability of clients when they get a re-query
> request through TC bit?


Saying UDP DNS is open to spoofing is a bit harsh - ID and port should not be very predictable in most situations, and this should help.

Additionally, as long as your plan is to send UDP TC packets so that people will fall back to TCP, the spoofer is just fighting against your TC packet instead of fighting against your UDP-with-content response. I'm not sure this would add any security.

And on a sidenote, it is not uncommon for cheap home routers to not support TCP DNS at all. My Fritz!Box at home did not support TCP DNS until a month ago, for example.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/




More information about the Pdns-users mailing list