[Pdns-users] Enforcing clients to use TCP for DNS queries

Oguz Yilmaz oguzyilmazlist at gmail.com
Wed Jun 6 11:10:12 UTC 2012


On Wed, Jun 6, 2012 at 12:36 AM, Peter van Dijk
<peter.van.dijk at netherlabs.nl> wrote:
> Hello Oguz,
>
> On Jun 5, 2012, at 11:52 , Oguz Yilmaz wrote:
>
>> UDP DNS is open to spoofing. Setting TC bit and requesting TCP query
>> may be a mechanism for client identity authenticity. However, what do
>> you think about interoperability of clients when they get a re-query
>> request through TC bit?
>
>
> Saying UDP DNS is open to spoofing is a bit harsh - ID and port should not be very predictable in most situations, and this should help.
>
> Additionally, as long as your plan is to send UDP TC packets so that people will fall back to TCP, the spoofer is just fighting against your TC packet instead of fighting against your UDP-with-content response. I'm not sure this would add any security.
>

Actually my point is to get rid of udp level IP spoofing.

> And on a sidenote, it is not uncommon for cheap home routers to not support TCP DNS at all. My Fritz!Box at home did not support TCP DNS until a month ago, for example.
>

This is really important. If variety of routers also have this
problem, the method is open to new connection problems.

Thanks.
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users



More information about the Pdns-users mailing list