[AusNOG] How you can help prevent DNS spoofing attempts from succeeding

[Mark Andrews]

Back in May 2016, RFC 7873 - Domain Name System (DNS) Cookies was published. This
provides a mechanism that can make off path spoofing attacks impossible without
all the management required by DNSSEC.  This however only works if DNS servers
and DNS clients implement the changes required.

For a DNS server operator there are no real risks in enabling DNS COOKIE support
other than ensuring all the servers in an anycast cluster have DNS COOKIES enabled.

For DNS clients there is a small risk that you will make a request to a DNS server
that has a broken DNS implementation that breaks DNS resolution.  That said the number
of such servers have been dropping over the last 9 years and per server workarounds
are rare.

I would like to encourage everyone on this list to check if their DNS servers have
DNS COOKIE enabled or not and if it is not enabled to enable it or upgrade the server
to one which supports it.

You can test whether your server supports DNS COOKIE or not using https://ednscomp.isc.org/ednscomp

At a minimum please test to see if you have a broken DNS server and correct it if your do.

Below is the results of testing the .AU servers.  Here A.AU supports DNS COOKIES as can be see
by this field in the response "docookie=ok,cookie+badcookie”.  “badcookie” indicates that it is
also configured to use DNS COOKIE to identify legitimate traffic when amplification attacks happen.
The other servers cleanly accept requests with DNS COOKIES present but do not return DNS COOKIES
so they are not providing anti-spoofing support for the clients that use those servers.  The
"docookie=timeout" are false negatives base on manual testing, the test is presumably hitting a
rate limit.

EDNS Compliance TesterChecking: 'au' as at 2025-08-14T01:59:15Z
au. @65.22.199.1 (t.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (LAX3)
au. @2a01:8840:c1::1 (t.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (YYZ3)
au. @58.65.254.1 (a.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie+badcookie edns512tcp=ok optlist=ok,nsid,cookie+badcookie,subnet (lax2)
au. @2407:6e00:254::1 (a.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie+badcookie edns512tcp=ok optlist=ok,nsid,expire,cookie+badcookie (mel3)
au. @65.22.196.1 (q.au.): dns=ok zflag=timeout edns=timeout edns1=ok edns at 512=ok ednsopt=timeout edns1opt=ok do=timeout ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
au. @2a01:8840:be::1 (q.au.): dns=ok zflag=timeout edns=timeout edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=timeout ednsflags=ok docookie=timeout edns512tcp=ok optlist=timeout
au. @65.22.197.1 (r.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (app4.mia2.hosts.meta.redstone.afilias-nst.info-1615580861)
au. @2a01:8840:bf::1 (r.au.): dns=ok zflag=ok edns=ok edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (syd3.micro.hosts.meta.redstone.afilias-nst.info-1626964915)
au. @65.22.198.1 (s.au.): dns=ok zflag=ok edns=timeout edns1=ok edns at 512=ok ednsopt=ok edns1opt=ok do=timeout ednsflags=ok docookie=timeout edns512tcp=ok optlist=ok,nsid,expire,subnet (sjc1.micro.hosts.meta.redstone.afilias-nst.info-1633459055)
au. @2a01:8840:c0::1 (s.au.): dns=ok zflag=ok edns=timeout edns1=ok edns at 512=ok ednsopt=timeout edns1opt=ok do=timeout ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (sjc1.micro.hosts.meta.redstone.afilias-nst.info-1633459055)

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org