> You can't guarantee that every nameserver in the world will support TCP.
Its more dependable than trying to depend on some type of cookie hidden in
areas that arent guaranteed to come back unmangled
> [ re: the possibility of manipulating servers into caching NXDOMAIN
> as a result of forgery protection ]
Servers shouldn't cache this unless theyre broken. And if theyre broken
in this regard, then they most likely also have predictable IDs and all
the other fun stuff that goes along with old software.
> > Well since we are dealing with these problems right now, we can be
> > intelligent and not cache a host/IP as broken when we receive spoofed
>
> Ok, just bringing it up. However, we've still prevented a legitimate query
> from resolving, so the only choices we have are to play dead or to
> incorrectly return an NXDOMAIN (right?).
Well, if the tcp connection also fails, we can return failure and try
again later.. So each lookup request that the attacker generates will give
him one try at guessing the ID number.. And each time, his plans might get
foiled by a successful connection to the real name servers, or a living
sysadmin noticing all of the logs spewing out.. Again, the best protection
would be cryptography
> That doesn't work. This is a blind attack; I can make the queries come
> from any address in the world I want them to come from. I don't think
> anything that relies on router configuration is a solution - do you?
You can probably configure what addresses you'll accept recursive queries
from in the bind config also.. Ill check it out
> [ re: TCP vs Cookie Response ]
> > I think connecting to the servers via TCP would be the better solution,
> > since it is a capability built into almost every DNS server in existence.
>
> Responding NXDOMAIN to a query is a capability built into every DNS server
> in existance. TCP DNS is not. It's an excellent idea, though!
TCP-ready BIND servers are probably 99% of the internet. However, if you
find that cookies work more reliably, then that would be the superior
solution. It certainly has more room for strange failures though
> If it doesn't, I can continue trying this attack indefinitely until I win.
The same with the cookies, except over a larger range of ID space. Also:
what do you do if a server doesnt return your cookies? Return a failure?
Ignore it?
> > it would be that quick and easy. This is really a serious problem that
> > should be addressed.
>
> Agreed. I think the combination of D.O.S. with the ID prediction attack is
> the most significant issue here.
Well, with the method I am proposing, a DOS attack will only be possible
if port 53 is unavailable on the authoritative nameservers for the domain
that is being blocked. So the problem no longer lies in your nameserver,
it is now a problem of the site being blocked for whatever reason, and
would have to be fixed on that end. What else can be done on our end?
-vermont@gate.net