nanog mailing list archives
Re: Comcast residential DNS contact
From: Mark Andrews <marka () isc org>
Date: Thu, 04 Dec 2014 11:11:33 +1100
DNS Cookies / SIT (DNS Cookies w/o the error code) will also deal with forged traffic. It allows you to identify traffic from a client that you have replied to in the past and to which you can safely send a large response. It lets you sort the wheat from the chaff. https://tools.ietf.org/html/draft-ietf-dnsop-cookies-00 SIT is available in BIND 9.10 (configure --enable-sit) and uses a experiment EDNS OPT code. BIND 9.11 will have DNS Cookies / SIT will on by default with a allocated code point. The only thing is the amount of non EDNS compliance with servers will make this hard to deploy. In theory unknown EDNS options are supposed to be IGNORED (See RFC6891, 6.1.2 Wire Format). This was done to allow you to send a EDNS option without knowing if the other end supported that option safely. http://users.isc.org/~marka/ts/gov.optfail.html Unfortunately there are firewalls that block such queries. There are nameserver implementations that return FORMERR when they see such queries. There are nameserver implementations that return BADVER when they see such queries. There are nameserver implemations that echo back the option. There are also implementations that don't return a EDNS response unless DO=1 is set. If your nameserver / firewall combination fails to properly handle EDNS queries with unknown options can you please fix it. You can test EDNS option handling with the following allocated code points. dig +nsid soa $zone @$server dig +expire soa $zone @$server Experimentatal code point (requires BIND 9.10). dig +sit soa $zone @$server Unallocated code point (requires pre BIND 9.11 code from sources.isc.org). dig +ednsopt=100 soa $zone @$server There are also issues with attempting to use a new EDNS version (this should get BADVERS returned) or setting a new EDNS flag bit (supposed to be ignored). Firewalls also stupidly block these even more so than unknown EDNS options. http://users.isc.org/~marka/ts.html Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Comcast residential DNS contact, (continued)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Pavel Odintsov (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Brian Rak (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Doug Barton (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Mark Andrews (Dec 03)
- Re: Comcast residential DNS contact Andrew Sullivan (Dec 03)
- Re: Comcast residential DNS contact Christopher Morrow (Dec 03)
- Re: Comcast residential DNS contact Scott Helms (Dec 03)
- Re: Comcast residential DNS contact Livingood, Jason (Dec 03)