DNS/cookies/1

1. Introduction

As with many core Internet protocols, the Domain Name System (DNS) was originally designed at a time when the Internet had only a small pool of trusted users. As the Internet has grown exponentially to a global information utility, the DNS has increasingly been subject to abuse.

This document describes DNS Cookies, a lightweight DNS transaction

The DNS Cookie mechanism provides limited protection to DNS servers and

It is compatible with, and can be used in conjunction with, other DNS transaction forgery resistance measures such as those in [RFC5452]. (Since DNS Cookies are only returned to the IP address

The protection provided by DNS Cookies is similar to that provided by
   using TCP for DNS transactions.  
Bypassing the weak protection provided by using TCP requires, among other things, 
that an off-path attacker guess the 32-bit TCP sequence number in use.  

Bypassing the weak protection provided by DNS Cookies requires such an attacker to
   guess a 64-bit pseudorandom "cookie" quantity.  

Where DNS Cookies are not available but TCP is, falling back to using TCP is reasonable.

If only one party to a DNS transaction supports DNS Cookies, the

The DNS Cookie mechanism is designed to work in the presence of NAT

MoinQ: DNS/セキュリティ/cookies/1 (last edited 2021-04-01 06:50:39 by ToshinoriMaeno)