Hi Stephane, This is Xiang, the author of this paper.
For the off-path attack, DoT can protect the CDNS from being poisoned. For the on-path attack, since the forwarding query is sent to the attacker's server, only DNSSEC can mitigate the MaginotDNS. Best, Xiang On Tue, Sep 26, 2023 at 11:42 PM Stephane Bortzmeyer <[email protected]> wrote: > I'm reading the paper behind "MaginotDNS: Attacking the boundary of > DNS caching protection" > < > https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/ > > > <https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf>. > > Am I correct to think that forwarding from the CDNS to the upstream > resolver with DoT (DNS over TLS) would be sufficient to disable the > attack (even TCP or cookies would be enough if the attacker is > off-path)? > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
