DNS Cookies draft-eastlake-dnsext-cookies-01.txt PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: DNS Cookies draft-eastlake-dnsext-cookies-01.txt


1
DNS Cookiesdraft-eastlake-dnsext-cookies-01.txt
  • Donald E. Eastlake 3rd
  • Donald.Eastlake_at_motorola.com
  • 1-508-786-7554

2
DNS Cookies
  • Provides weak authentication of queries and
    responses. Can be viewed as a weak version of
    TSIG.
  • No protection against on-path attackers, that
    is, no protection against anyone who can see the
    plain text queries and responses.
  • Requires no set-up or configuration.

3
DNS Cookies (cont.)
  • Intended to greatly reduce
  • Forged source IP address traffic amplification
    DOS attacks.
  • Forged source IP address recursive server work
    load DOS attacks.
  • Forged source IP address reply cache poisoning
    attacks.

4
The COOKIE OPT Option
  • A new Option to the OPT-RR

1 1 1 1 1 1 1 1 1 1 2 2 2 2
2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
------------------------
-------- OPTION-CODE TBD
OPTION-LENGTH 18
------------------------
-------- Resolver
Cookie upper half
------------------------
-------- Resolver
Cookie lower half
------------------------
-------- Server
Cookie upper half
------------------------
-------- Server
Cookie lower half
------------------------
-------- Error Code
----------------
5
Resolver Warm Fuzzies
  • If DNS Cookies Enforced
  • Resolver puts a COOKIE in queries with
  • A Resolver Cookie that varies with server
  • Truncated HMAC(server-IP-address, resolver
    secret)
  • The resolver cached Server Cookie for that Cookie
    if it has one
  • Resolver ignores all replies that do not have the
    correct Resolver Cookie
  • Caches new Server Cookie and retries query if it
    gets a Bad Cookie error with a correct Resolver
    Cookie

6
Simplified Server Warm Fuzzies
  • If DNS Cookies Enforced
  • Server puts a COOKIE in replies with
  • A Server Cookie that varies with resolver
  • Truncated HMAC(resolver-IP-address, server
    secret)
  • The Resolver Cookie if there was one in the
    corresponding query
  • If query received with bad or no Server Cookie,
    send back short error message

7
Example
Resolver
Server
Query RC123, SC???,E0
ErrReply RC123, SC789, EBadC
SC789
Query RC123, SC789,E0
AnsReply RC123, SC789,E0
ForgedQuery RCXYZ, SC???,E0
ErrReply RCXYZ, SC789, EBadC
ForgedReply RC???, SC???,E0
8
Complexities
  • Bad guy Resolver behind a NAT
  • Could get Server Cookie and attack other
    resolvers behind the NAT
  • Solution Mix Resolver Cookie into Server Cookie
    hash so multiple resolvers that appear to be at
    the same IP address are distinguished
  • Anycast Servers
  • Need to use the same server secret or assure that
    queries from the same resolver usually go to the
    same server
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "DNS Cookies draft-eastlake-dnsext-cookies-01.txt" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!