On 2016/10/13 22:55, Ted Unangst wrote:
> 16 bit IDs don't offer much security. This is well known. A trick to encode
> more bits into the query is to vary the case of the query name. It's case
> insensitive, but all known servers echo it back exactly, case preserving.

Unfortunately not. Many do but there are some cases, especially with
things like global-loadbalancer DNS servers, and firewalls doing DNS
content inspection where there are problems (either for all records, or
some records especially in-addr.arpa).

Unbound had to add fallbacks for this (see the 'caps_fallback' bits in
iterator/iterator.c). Some strategies for this are discussed in

Reply via email to