DNS/cookies/1
1. Introduction
As with many core Internet protocols, the Domain Name System (DNS) was originally designed at a time when the Internet had only a small pool of trusted users. As the Internet has grown exponentially to a global information utility, the DNS has increasingly been subject to abuse.
This document describes DNS Cookies, a lightweight DNS transaction
- security mechanism specified as an OPT [RFC6891] option.
The DNS Cookie mechanism provides limited protection to DNS servers and
- clients against a variety of increasingly common abuses by off-path attackers.
It is compatible with, and can be used in conjunction with, other DNS transaction forgery resistance measures such as those in [RFC5452]. (Since DNS Cookies are only returned to the IP address
- from which they were originally received, they cannot be used to generally track Internet users.)
The protection provided by DNS Cookies is similar to that provided by using TCP for DNS transactions. Bypassing the weak protection provided by using TCP requires, among other things, that an off-path attacker guess the 32-bit TCP sequence number in use. Bypassing the weak protection provided by DNS Cookies requires such an attacker to guess a 64-bit pseudorandom "cookie" quantity.
Where DNS Cookies are not available but TCP is, falling back to using TCP is reasonable.
If only one party to a DNS transaction supports DNS Cookies, the
- mechanism does not provide a benefit or significantly interfere, but if both support it, the additional security provided is automatically available.
The DNS Cookie mechanism is designed to work in the presence of NAT
- and NAT-PT (Network Address Translation - Protocol Translation) boxes, and guidance is provided herein on supporting the DNS Cookie mechanism in anycast servers.