> > Which brings me to the topic of resolver-behind-upstream attacks which were > not commented upon. > As you know, one of the recommendations of experts and Internet operators, > following Kaminsky attack, was `either deploy patches or configure your > resolver to use a secure upstream forwarder`, e.g., OpenDNS was typically > recommended. The security is established since the resolver is hidden from > the Internet and sends its requests only via its upstream forwarder. > This configuration is still believed to be secure and is recommended by > experts.
Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this issue ? > > As you know we found vulnerabilities in such configuration, and designed > techniques allowing to find the IP address of the hidden resolver, and then > to discover its port allocation (the attacks apply to per-destination ports > recommended in [RFC6056] or to fixed ports). > This attack can be extremely stealthy and efficient, and applies to networks > where communication between the resolver and upstream forwarder is not over > TCP, and therefore can be fragmented (fragmentation of a single byte > suffices). Would IPSEC between resolver and upstream forward be a possible mitigation to this issue ? Rubens
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs