Bert Hubert (of Netherlabs Computer Consulting BV.) and Remco van Mook (of Equinix) today published RFC 5452, “Measures for Making DNS More Resilient against Forged Answers”. The memo is intended as a guide to interim anti-spoofing measures while the world awaits a more secure DNS. (Of course, the latter anticipation should not be spent in a state of voluntary apnoea.)
The document recommends three countermeasures for caching DNS servers.
- First, such servers must screen every response in order to ensure that its source and destination IP addresses, destination port, and query ID, name, class and type match the query.
- Second, source ports as well as query IDs must be used in an unpredictable manner. The same applies to source IP addresses, although as a “should” rather than a “must”. Firewalls or NAT devices between the server and its clients should also not inflict source port predictability.
- Finally, when a server detects an attempt to spoof a query, it may defend itself by upgrading that query from UDP to TCP, a more reliable protocol.
The 18‑page memo, which also describes how DNS spoofing occurs, is must-read information for any DNS server operator who is not already up to date on anti-spoofing measures. It is available at your favourite RFC repository.
What do you think? Please post your comment!
Post a Comment