2009
DOI: 10.17487/rfc5452
|View full text |Cite
|
Sign up to set email alerts
|

Measures for Making DNS More Resilient against Forged Answers

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
50
0

Year Published

2009
2009
2022
2022

Publication Types

Select...
5
3

Relationship

0
8

Authors

Journals

citations
Cited by 52 publications
(50 citation statements)
references
References 13 publications
0
50
0
Order By: Relevance
“…The DNS Cookie mechanism is designed for incremental deployment and to complement the orthogonal techniques in [RFC5452]. Either or both techniques can be deployed independently at each DNS server and client.…”
Section: Operational and Deployment Considerationsmentioning
confidence: 99%
See 1 more Smart Citation
“…The DNS Cookie mechanism is designed for incremental deployment and to complement the orthogonal techniques in [RFC5452]. Either or both techniques can be deployed independently at each DNS server and client.…”
Section: Operational and Deployment Considerationsmentioning
confidence: 99%
“…The DNS Cookie mechanism provides limited protection to DNS servers and clients against a variety of increasingly common abuses by off-path attackers. It is compatible with, and can be used in conjunction with, other DNS transaction forgery resistance measures such as those in [RFC5452]. (Since DNS Cookies are only returned to the IP address from which they were originally received, they cannot be used to generally track Internet users.…”
Section: Introductionmentioning
confidence: 99%
“…Both parties send and receive an original <SYN> without an intervening <SYN,ACK(SYN)> (see [RFC793] This condition will be unusual. The Source Port SHOULD be randomized [RFC5452], and SHOULD be chosen to differ from the Destination Port. In particular, the Source Port SHOULD be greater than 1024, preventing intervening network equipment from incorrectly classifying the return traffic.…”
Section: Simultaneous Openmentioning
confidence: 99%
“…It is strongly RECOMMENDED that DNS proxies follow the relevant recommendations in [RFC5452], particularly those in Section 9.2 relating to randomisation of Query IDs and source ports. This also applies to source port selection within any NAT function.…”
Section: Forgery Resiliencementioning
confidence: 99%
“…If a DNS proxy is running on a broadband gateway with NAT that is compliant with [RFC4787], then it SHOULD also follow the recommendations in Section 10 of [RFC5452] Some gateways have been observed to have their DNS proxy listening on both internal (LAN) and external (WAN) interfaces. In this configuration, it is possible for the proxy to be used to mount reflector attacks as described in [RFC5358].…”
Section: Forgery Resiliencementioning
confidence: 99%