Hi DNSOP, My name is Yuqi Qiu. My supervisor Xiang Li and I recently submitted six Internet-Drafts. We wrote these documents based on recent academic research. This research includes findings on TsuKing, MaginotDNS, DNSBomb, TUDOOR, and Phoenix Domain. The results showed that many current resolvers have logic vulnerabilities. Our goal is to provide clear operational guidelines to fix these issues. We want to help implementers make their resolvers more secure. We have summarized the drafts below for your convenience. 1. Resilience Against DoS and Amplification Resolver Resilience draft-li-dnsop-resolver-resilience-01 This draft provides best practices for handling query timeouts and aggregation. It helps prevent Pulsing DoS attacks such as "DNSBomb”. Link: https://datatracker.ietf.org/doc/draft-li-dnsop-resolver-resilience/ RD Flag Clarification draft-qiu-dnsop-rd-flag-clarification-01 This draft clarifies how resolvers should handle the RD flag when it is set to 0. This standardizes behavior to stop loop amplification attacks like "TsuKing”. Link: https://datatracker.ietf.org/doc/draft-qiu-dnsop-rd-flag-clarification/ 2. Strengthening Cache Logic Enhanced Bailiwick Checking draft-qiu-dnsop-enhanced-bailiwick-01 This document defines stricter rules for accepting data into the cache. It mitigates cache poisoning threats found in "MaginotDNS”. Link: https://datatracker.ietf.org/doc/draft-qiu-dnsop-enhanced-bailiwick/ ECS Aggregation Fix draft-li-dnsop-ecs-aggregation-fix-00 This draft improves how resolvers handle queries with ECS options. It restores the effectiveness of query aggregation to prevent attacks like "RebirthDay”. Link: https://datatracker.ietf.org/doc/draft-li-dnsop-ecs-aggregation-fix/ 3. Handling Malformed Packets and Deep Hierarchies Response Pre-processing draft-li-dnsop-response-preprocessing-01 This draft provides guidelines for validating incoming packets before processing them. It prevents logic vulnerabilities exposed by the "TUDOOR" attack. Link: https://datatracker.ietf.org/doc/draft-li-dnsop-response-preprocessing/ Deep Delegation Scrutiny draft-li-dnsop-deep-delegation-scrutiny-00 This draft recommends checks for domains with an excessive number of labels. It helps mitigate revocation evasion techniques like "Phoenix Domain”. Link: https://datatracker.ietf.org/doc/draft-li-dnsop-deep-delegation-scrutiny/ We believe these drafts fill important gaps in DNS security. We will attend IETF 125 in Shenzhen and look forward to discussing these topics with the working group. We welcome any feedback on the mailing list. Best regards, Yuqi Qiu Nankai University
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
