Wessels, Duane wrote on 2019-12-04 14:22:
...
DNS messages over TCP are in no way guaranteed to arrive in single
segments. In fact, a clever attacker might attempt to hide certain
messages by forcing them over very small TCP segments. Applications
that capture network packets (e.g., with libpcap [libpcap]) SHOULD be
prepared to implement and perform full TCP segment reassembly.
dnscap [dnscap] is an open-source example of a DNS logging program
that implements TCP reassembly.
Developers SHOULD also keep in mind connection reuse, query
pipelining, and out-of-order responses when building and testing DNS
monitoring applications.
i suggest a reference to 'dnstap' here, as a server-integrated
monitoring protocol intended to facilitate wide scale dns monitoring.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
