Hi everybody, Quoting from http://edns-ping.org :
EDNS-PING is an option within the EDNS DNS framework which allows nameservers to protect themselves from certain "spoofing" attacks. By default, responses to DNS questions are matched to their questions by making sure they share the same DNS transaction ID, IP and network endpoints. In certain scenarios, it may be feasible for an external attacker to inject responses that artificially match the criteria outlined above. This problem would not occur if the DNS transaction ID would not have been limited to 65536 distinct values. EDNS-PING in effect allows for a far longer DNS transaction ID, making it infeasible for an external attacker to inject "fake" responses. EDNS-PING is a work of David Ulevitch of OpenDNS, and of me. Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22 shipped with EDNS-PING support built in. Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which can make use of EDNS-PING to protect your DNS queries from spoofing. Please find the snapshot on: http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2 To test, try to resolve 'www.edns-ping.org', and watch the log file, which should then contain the following message: Feb 08 01:21:00 We welcome 85.17.219.217 to the land of EDNS-PING! For more information, see http://edns-ping.org PS: This is another very good reason to upgrade your authoritative PowerDNS servers to 2.9.22! Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
