MoinQ:

DNS/FCP/対策について、ここに記述してください。

1. Spoofing DNS with fragments

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017950.html

This is mostly a solved problem from the point of view of the low-level 
infrastructure: Current Linux has mitigations DNS servers can use to 
avoid fragmented responses for reasonable response buffer sizes (such as 
1200 bytes) even when ICMP path MTU poisoning is used.

The only things left to do is to set a flag (IP_PMTUDISC_OMIT is the 
easy to use variant) in DNS software and lower the buffer size to 1200 
bytes.  I could arrange for the Linux kernel changes, so upgrading DNS 
software should be rather smooth today, but it still puzzles me that DNS 
vendors ignored this issue, despite it being communicated clearly and 
widely as early as 2008.

Florian Weimer fweimer at redhat.com
Mon Sep 10 21:31:52 UTC 2018

2. watch

/usa.gov