On 27. 09. 23 9:38, Ralf Weber wrote:
Moin!
On 27 Sep 2023, at 3:58, Xiang Li wrote:
Hi Stephane,
This is Xiang, the author of this paper.
For the off-path attack, DoT can protect the CDNS from being poisoned.
For the on-path attack, since the forwarding query is sent to the
attacker's server, only DNSSEC can mitigate the MaginotDNS.
I don’t think this is true otherwise all resolver implementations would
have been affected and not just a few. If you are on path direct behind
the resolver of course all bets are off, but if you are on path just
between the resolver and the forwarder those resolvers that are more
cautious in what cache information they use for iterative queries are not
vulnerable.
I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
Recursor are not mentioned in the paper because they were not vulnerable.
That's right.
If you are interested in the gory details, BIND's description of the
issue can be found here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_241893
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_244624
Also the surrounding comments have more details including vulnerable
config files and PCAPs.
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
