1 / 8

DNS Cookies draft-eastlake-dnsext-cookies-00.txt

DNS Cookies draft-eastlake-dnsext-cookies-00.txt. Donald E. Eastlake 3 rd Donald.Eastlake@motorola.com +1-508-786-7554. DNS Cookies. Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG.

obert
Download Presentation

DNS Cookies draft-eastlake-dnsext-cookies-00.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Cookiesdraft-eastlake-dnsext-cookies-00.txt Donald E. Eastlake 3rd Donald.Eastlake@motorola.com +1-508-786-7554 IETF DNSEXT WG Cookies

  2. DNS Cookies • Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG. • No protection against “on-path” attackers, that is, no protection against anyone who can see the plain text queries and responses. • Requires no set-up or configuration. IETF DNSEXT WG Cookies

  3. DNS Cookies (cont.) • Intended to greatly reduce • Forged source IP address traffic amplification DOS attacks. • Forged source IP address recursive server work load DOS attacks. • Forged source IP address reply cache poisoning attacks. IETF DNSEXT WG Cookies

  4. The COOKIE RR • A Meta-RR in the Additional Information Section. • RDATA: Resolver Cookie, 64 bits Server Cookie, 64 bits Error Code IETF DNSEXT WG Cookies

  5. Resolver Warm Fuzzies • If DNS Cookies Enforced • Resolver puts a COOKIE RR in queries with • A Resolver Cookie that varies with server • Truncated HMAC(server-IP-address, resolver secret) • The resolver cached Server Cookie for that Cookie if it has one • Resolver ignores all replies that do not have the correct Resolver Cookie • Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie IETF DNSEXT WG Cookies

  6. Simplified Server Warm Fuzzies • If DNS Cookies Enforced • Server puts a COOKIE RR in replies with • A Server Cookie that varies with resolver • Truncated HMAC(resolver-IP-address, server secret) • The Resolver Cookie if there was one in the corresponding query • If query received with bad or no Server Cookie, send back short error message IETF DNSEXT WG Cookies

  7. RC:123 RC:123 Example Resolver Server Query: RC:123, SC:???,E:0 ErrReply: RC:123, SC:789, E:BadC SC:789 Query: RC:123, SC:789,E:0 AnsReply: RC:123, SC:789,E:0 ForgedQuery: RC:???, SC:???,E:0 ErrReply: RC:???, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 IETF DNSEXT WG Cookies

  8. Complexities • Bad guy Resolver behind a NAT • Can get Server Cookie and attack other resolvers behind the NAT • Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished • Anycast Servers • Need to use the same server secret or assure that queries from the same resolver usually go to the same server IETF DNSEXT WG Cookies

More Related