[AusNOG] Protection from spoofing of DNS responses and TCP

[Mark Andrews]

Yesterday I was talking about DNS COOKIE and protecting from spoofing.  Now if
the server you are talking to doesn’t support DNS COOKIE the client can always
retry over TCP.  Well I experimented with this and found that it works with
some extra latency with the exception of 1-2% of queries that just failed because
server didn’t support TCP as a fallback as is required by RFC 7766 - DNS Transport
over TCP - Implementation Requirements.

In named I added “server 0.0.0.0/0 { require-cookie yes; };” and "server ::/0 { 
require-cookie yes; };” to named.conf which turns on this behaviour for all IPv4
and IPv6 servers unless there is a more specific server clause so you can try this
yourself if you want.

TCP is an interoperability requirement for DNS.  There are nameservers out there
that attempt to detect spoofed replies and switch to TCP mode.  DNS has ALWAYS
fallen back to TCP when answers are too big to fit in the UDP DNS message.  We
get from time to time reports of DNS lookups failing because DNS over TCP is
being blocked and all we can say is contact the server operator and get them to
fix their configuration.

Please check, from outside your network, that your DNS servers are reachable over
TCP.  I’d like to be able to change named’s defaults to the equivalent of adding
those two server clauses but the there are too many misconfigured servers out
there.  The latency will get better as more servers support DNS COOKIE (which
requires the server to support TCP by the way.)  What won’t get better without
help is fixing the misconfigurations which block the TCP fallback.  

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org