[116588] in North American Network Operators' Group
DNS query repetition ( was DNS Hardening )
daemon@ATHENA.MIT.EDU (George Barwood)
Sat Aug 8 16:45:08 2009
From: "George Barwood" <george.barwood@blueyonder.co.uk>
To: <nanog@nanog.org>
Date: Sat, 8 Aug 2009 21:44:15 +0100
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In an earlier thread, Jon Levine asked
> Other than DNSSEC, I'm aware of these relatively simple hacks to add
> entropy to DNS queries.
> 1) Random query ID
> 2) Random source port
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and compare
> the answers
> I presume everyone is doing the first two. Any experience with the other
> two to report?
I have implemented a (public domain) DNS cache "GbDns" that implements both
3 and 4 ( and also DnsCurve ).
For non-deterministic authorities, such as Akamai, more that 2 queries are
needed, and some relatively complex code.
It turns out to be completely practical, albeit leading to an increase in
the number of packets.
Source code and a link to an IETF draft that describes the method is at
http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/
Regards,
George Barwood
( New subscriber, hence the new thread )
