On Wed, Jun 6, 2012 at 12:36 AM, Peter van Dijk <[email protected]> wrote: > Hello Oguz, > > On Jun 5, 2012, at 11:52 , Oguz Yilmaz wrote: > >> UDP DNS is open to spoofing. Setting TC bit and requesting TCP query >> may be a mechanism for client identity authenticity. However, what do >> you think about interoperability of clients when they get a re-query >> request through TC bit? > > > Saying UDP DNS is open to spoofing is a bit harsh - ID and port should not be > very predictable in most situations, and this should help. > > Additionally, as long as your plan is to send UDP TC packets so that people > will fall back to TCP, the spoofer is just fighting against your TC packet > instead of fighting against your UDP-with-content response. I'm not sure this > would add any security. >
Actually my point is to get rid of udp level IP spoofing. > And on a sidenote, it is not uncommon for cheap home routers to not support > TCP DNS at all. My Fritz!Box at home did not support TCP DNS until a month > ago, for example. > This is really important. If variety of routers also have this problem, the method is open to new connection problems. Thanks. > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
