Evening! I don’t think this is true otherwise all resolver implementations would > have been affected and not just a few. If you are on path direct behind > the resolver of course all bets are off, but if you are on path just > between the resolver and the forwarder those resolvers that are more > cautious in what cache information they use for iterative queries are not > vulnerable. >
DoT could work if the attacker is between the server and the resolver. However, if the attacker controls the target server, DoT just fails. I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS > Recursor are not mentioned in the paper because they were not vulnerable. > Sorry. Those software is not affected because they implemented the bailiwick checking well as we explained in our paper instead of what you said that they used DoT. That's what we found by performing our analysis and testing. We also tested Akamai Cacheserver after Akamai researchers reached out to us. Both their immune implementations and DNSSEC protected them well. I agree that DNSSEC can fully mitigate it and should be used. Any > encrypted transport to a forwarder also would work, but IMHO it probably > would be better to not use forwarding at all. > Yes. DNSSEC will work. Best, Xiang On Wed, Sep 27, 2023 at 3:39 PM Ralf Weber <[email protected]> wrote: > Moin! > > On 27 Sep 2023, at 3:58, Xiang Li wrote: > > > Hi Stephane, > > > > This is Xiang, the author of this paper. > > > > For the off-path attack, DoT can protect the CDNS from being poisoned. > > For the on-path attack, since the forwarding query is sent to the > > attacker's server, only DNSSEC can mitigate the MaginotDNS. > > I don’t think this is true otherwise all resolver implementations would > have been affected and not just a few. If you are on path direct behind > the resolver of course all bets are off, but if you are on path just > between the resolver and the forwarder those resolvers that are more > cautious in what cache information they use for iterative queries are not > vulnerable. > > I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS > Recursor are not mentioned in the paper because they were not vulnerable. > > I agree that DNSSEC can fully mitigate it and should be used. Any > encrypted transport to a forwarder also would work, but IMHO it probably > would be better to not use forwarding at all. > > So long > -Ralf > ——- > Ralf Weber > >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
