2016
DOI: 10.17487/rfc7873
|View full text |Cite
|
Sign up to set email alerts
|

Domain Name System (DNS) Cookies

Abstract: DNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification/ forgery or cache poisoning attacks by off-path attackers.

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
13
0

Year Published

2016
2016
2024
2024

Publication Types

Select...
5
2
2

Relationship

0
9

Authors

Journals

citations
Cited by 20 publications
(13 citation statements)
references
References 10 publications
0
13
0
Order By: Relevance
“…To prevent amplification attacks, an Authoritative DNS server MAY wish to prevent returning OPENPGPKEY records over UDP unless the source IP address has been confirmed with [RFC7873]. Such servers MUST NOT return REFUSED, but answer the query with an empty answer section and the truncation flag set ("TC=1").…”
Section: Mua Behaviormentioning
confidence: 99%
“…To prevent amplification attacks, an Authoritative DNS server MAY wish to prevent returning OPENPGPKEY records over UDP unless the source IP address has been confirmed with [RFC7873]. Such servers MUST NOT return REFUSED, but answer the query with an empty answer section and the truncation flag set ("TC=1").…”
Section: Mua Behaviormentioning
confidence: 99%
“…A potential solution to this is some form of source address authentication, that allows the recipient of a packet to establish that the source address has not been spoofed. An effective way to implement this is by using cookies, as proposed by Eastlake in [16]. In short, the idea is that a name server does not send large responses to a client using EDNS0 unless the client proves its authenticity using an authentication cookie established during an initial interaction between client and server.…”
Section: Edns0 Cookiesmentioning
confidence: 99%
“…To prevent amplification attacks, an Authoritative DNS server MAY wish to prevent returning SMIMEA records over UDP unless the source IP address has been confirmed with DNS Cookies [RFC7873]. If a query is received via UDP without source IP address verification, the server MUST NOT return REFUSED but answer the query with an empty answer section and the truncation flag set ("TC=1").…”
Section: Response Sizementioning
confidence: 99%