Suggestion for enhancement to DNS

Bryan Irvine sparctacus at gmail.com
Mon Aug 11 17:44:29 UTC 2008


or DNSSEC  :-)

On Mon, Aug 11, 2008 at 9:59 AM, James Cammarata <jimi at sngx.net> wrote:
>
> Hi all, I've been reading up on the recent DNS vulnerability, and a
> solution to me seems obvious, though I'm wondering if I'm missing something
> or just not completely understanding the nature of DNS - something that
> might make the following suggestion impractical/impossible.  The thing that
> got me started on this, is this article:
> http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
>
> My solution would be as follows: whenever a DNS server issues a recursive
> query request, add a second question.  This question could take several
> forms, it could be for a bogus sub-domain, or just some randomly generated
> hash.  If the DNS protocol were extended to allow a new signature-type
> resource record (a long run, I know), the replying server would essentially
> just echo back the question (or if it were done today you'd get NXDOMAIN
> back).  Either way, this would prevent a cache poisoning flood attack,
> since only the actual server questioned would have the correct matching
> answer.
>
> The downsides to this approach are obvious: longer DNS queries/responses
> and the corresponding bandwidth increases, along with possibly forcing more
> DNS queries to resort to tcp connections when exceeding the 512 byte limit
> for udp.  However, the increase in security would be well worth it,
> especially if the hash only added 20-30 bytes to a query/response.
>
> Anyway, like I said, this is all just something that crossed my mind, so I
> thought I'd bring it up here, and any feedback would be appreciated.
>
> Thanks,
>
> James C.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>


More information about the bind-users mailing list