1. DNS/毒盛/2020/saddns.net/knot-resolver

について、ここに記述してください。

https://twitter.com/CZ_NIC/status/1329417736552910852?s=20

• Blog CZ.NIC: Knot Resolver is not SAD DNS resolver:

https://en.blog.nic.cz/2020/11/19/knot-resolver-is-not-sad-dns-resolver/

In short – 
security defenses implemented in Knot Resolver since 2015 prevent SAD DNS from being effective!

Knot Resolver behavior (防衛策の説明)

Knot Resolver checks if incoming UDP responses from authoritative servers have the same signature (consisting of message ID, query class, query name, query type and also 0x20 CaSe raNDOmIZatioN) as the original query sent to the authoritative server. Mismatch on any field the causes Knot Resolver to ignore incoming UDP responses to re-query over TCP.

• cookieは書かれていない。-- ToshinoriMaeno 2020-11-19 22:21:44

TCPに切り替える。最初の偽返答で切り替えられるか。

• 切り替えるまでに、毒が入るかもしれない。そこの評価がない。

cache 管理の方針

Knot Resolver refuses to overwrite records in cache with new data not secured by DNSSEC (if the data in cache are not about to expire). This includes negative cache – information about non-existence of a record. This is countermeasure to technique described in the paper figure 7.

1.1. Assumptions for analysis

• attackerに有利な前提で考える。(いくつかの防御は無効化されるとしている。)

Packets with correct source port but mismatching query/response signature cause immediate fallback to TCP, closing UDP socket and ignoring all packets later arriving to it (see section about Knot Resolver behavior above).

As a consequence of switching to TCP after receiving first suspicious answer the attacker is forced to guess correct source port (15 bits) and message ID (16 bits) at once. This provides attacker with 31 bits of entropy to guess on first try.