12–13 May 2019
Shangri-La Bangkok
Asia/Bangkok timezone

Measures against cache poisoning attacks using IP fragmentation in DNS

13 May 2019, 12:00
30m
Ballroom 1 (Shangri-La Bangkok)

Ballroom 1

Shangri-La Bangkok

89 ซอย Wat Suan Plu - Dumex, Khwaeng Bang Rak, Khet Bang Rak, Krung Thep Maha Nakhon 10500, Thailand
Standard Presentation Public Workshop

Speaker

Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Description

Researchers proposed DNS cache poisoning attacks using IP fragmentation.
This talk reports them and proposes feasible and adequate measures at full-service resolvers against these attacks.
To protect resolvers from these attacks, avoid fragmentation (limit requestor's UDP payload size to 1220/1232), drop fragmented UDP DNS responses and use TCP at resolver side.
And more, it will report current status of fragmentation and EDNS0 payload size.
It is time to consider to avoid IP Fragmentation (and path MTU discovery) in DNS. It is not good that DNS is the biggest user of IP fragmentation.

(draft-fujiwara-dnsop-fragment-attack)

Talk Duration 30 Minutes

Primary author

Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Presentation materials