I'm reading the paper behind "MaginotDNS: Attacking the boundary of DNS caching protection" <https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/> <https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf>.
Am I correct to think that forwarding from the CDNS to the upstream resolver with DoT (DNS over TLS) would be sufficient to disable the attack (even TCP or cookies would be enough if the attacker is off-path)? _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
