1. DNS/cookies
| /1 /5.3 /JP2017 /JP2020 /kresd |
Contents
1.1. 簡単対策
cookieを使える権威サーバーが増えてきているので、使える場合には利用するのがよい。
- cookieで毒盛を防ぎ、使えなければTCPに頼る。
これで、TCPを避けたいひとも文句はないだろう。Cookiesを使えるようにすればよい。
-- ToshinoriMaeno 2020-11-19 02:42:20
UDP/cookieを使って、毒を検知する。 フラグメント化返答は破棄する。 cookieを返してこない相手にはTCPで問い合わせなおす。
1.2. RFC
https://tools.ietf.org/html/rfc7873 /5.3 /1 https://www.ietf.org/rfc/rfc7873.txt
https://tex2e.github.io/rfc-translater/html/rfc7873.html
1.3. cache poisoning 対策
1.4. BIND
DNS Cookies in BIND 9 https://kb.isc.org/docs/aa-01387
- enabled by default in BIND 9.11.0 and later
allows the client to detect and ignore off-path spoofed responses, an the server to determine that a client's address is not spoofed.
https://kb.isc.org/article/AA-01387/0/DNS-Cookies-in-BIND-9.10-and-9.11.html
COOKIE, like all EDNS options, is theoretically incrementally and independently deployable.
- Servers that don't know about an EDNS option are supposed to ignore it (RFC6891).
In practice, this is not always the case; about 10% of servers (as of June 2016) mishandle queries with unknown EDNS options in various ways.
- This is not normally fatal for DNS COOKIE; it just results in slightly slower lookups from these servers.
Nevertheless, mishandling of the COOKIE option has been known to cause errors that are fatal to name resolution when the resolver is validating responses coming from a signed zone, and the authoritative server returns either FORMERR or BADVERS, or fails to respond to the query.
named treats these answers as if the server does not support EDNS (which it doesn't) so it stops sending any EDNS queries at all, which makes it impossible to get a DNSSEC response back.
- When testing against servers for the Alexa Top 1 Million names only a handful of servers behaved in this manner with signed zones, and the owners of these servers have been notified of the issue.
Mishandling of the COOKIE option can also trigger incorrect responses (such as NXDOMAIN or no NOERROR/NODATA, when there should have been a positive answer).
- This is usually caused by a misconfigured load-balancer.
COOKIE: (good) が得られなかったときにTCPに切替えるオプションは説明されていない。(ないのかも)
1.5. kresd
https://knot-resolver.readthedocs.io/en/stable/quickstart-config.html
https://readthedocs.org/projects/knot-resolver/downloads/pdf/stable/
policy TCP
modules/cookies/ を見よ。
lib/rplan.h, resolve.c あたりを読め。-- ToshinoriMaeno 2020-11-21 08:15:30
1.6. MS DNS
最近の版では修正されている。 https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig/