## page was renamed from DNS/cookies/1
#pragma section-numbers off

= DNS/cookies/1 =


== 1.  Introduction ==

As with many core Internet protocols, the Domain Name System (DNS)
was originally designed at a time when the Internet had only a small
pool of trusted users.  
As the Internet has grown exponentially to a global information utility, 
the DNS has increasingly been subject to abuse.

This document describes DNS Cookies, a lightweight DNS transaction
   security mechanism specified as an OPT [RFC6891] option.  
The DNS Cookie mechanism provides limited protection to DNS servers and
   clients against a variety of increasingly common abuses by off-path attackers. 

It is compatible with, and can be used in conjunction with, 
other DNS transaction forgery resistance measures such as those in [RFC5452].  
(Since DNS Cookies are only returned to the IP address
   from which they were originally received, they cannot be used to
   generally track Internet users.)
{{{
The protection provided by DNS Cookies is similar to that provided by
   using TCP for DNS transactions.  
Bypassing the weak protection provided by using TCP requires, among other things, 
that an off-path attacker guess the 32-bit TCP sequence number in use.  

Bypassing the weak protection provided by DNS Cookies requires such an attacker to
   guess a 64-bit pseudorandom "cookie" quantity.  
}}}
'''
Where DNS Cookies are not available but TCP is, falling back to using TCP is reasonable.
'''

If only one party to a DNS transaction supports DNS Cookies, the
   mechanism does not provide a benefit or significantly interfere, but
   if both support it, the additional security provided is automatically
   available.

The DNS Cookie mechanism is designed to work in the presence of NAT
   and NAT-PT (Network Address Translation - Protocol Translation)
   boxes, and guidance is provided herein on supporting the DNS Cookie
   mechanism in anycast servers.