Measures against cache poisoning attacks using IP fragmentation in DNS
暂无分享,去创建一个
Researchers proposed practical DNS cache poisoning attacks using IP
fragmentation. This document shows feasible and adequate measures at
full-service resolvers and authoritative servers against these
attacks. To protect resolvers from these attacks, avoid fragmentation
(limit requestor's UDP payload size to 1220/1232), drop fragmented
UDP DNS responses and use TCP at resolver side. To make a domain name
robust against these attacks, limit EDNS0 Responder's maximum
payload size to 1220, set DONTFRAG option to DNS response packets and
use good random fragmentation ID at authoritative server side.