Suggestion for enhancement to DNS
James Cammarata
jimi at sngx.net
Mon Aug 11 16:59:04 UTC 2008
Hi all, I've been reading up on the recent DNS vulnerability, and a
solution to me seems obvious, though I'm wondering if I'm missing something
or just not completely understanding the nature of DNS - something that
might make the following suggestion impractical/impossible. The thing that
got me started on this, is this article:
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
My solution would be as follows: whenever a DNS server issues a recursive
query request, add a second question. This question could take several
forms, it could be for a bogus sub-domain, or just some randomly generated
hash. If the DNS protocol were extended to allow a new signature-type
resource record (a long run, I know), the replying server would essentially
just echo back the question (or if it were done today you'd get NXDOMAIN
back). Either way, this would prevent a cache poisoning flood attack,
since only the actual server questioned would have the correct matching
answer.
The downsides to this approach are obvious: longer DNS queries/responses
and the corresponding bandwidth increases, along with possibly forcing more
DNS queries to resort to tcp connections when exceeding the 512 byte limit
for udp. However, the increase in security would be well worth it,
especially if the hash only added 20-30 bytes to a query/response.
Anyway, like I said, this is all just something that crossed my mind, so I
thought I'd bring it up here, and any feedback would be appreciated.
Thanks,
James C.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list