Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

DNS security can be improved with cookies, suggest IETF boffins

For message authentication, not for tracking. Promise!

A proposal raised late May at the Internet Engineering Task Force (IETF) suggests adding cookies to the DNS to help defend the critical system against denial-of-service exploits.

The domain name system (DNS) is an old and fundamental piece of the Internet architecture, providing translation between human-readable addresses like theregister.com and IP addresses.

The DNS has also been exploited several times over the years as a traffic amplifier in DoS attacks. [amplification attacks]

RFC 7873, authored by Donald Eastlake (Huawei*) and Mark Andrews (ISC*), puts forward the intriguing notion that a simple cookie deployment could help.

They describe DNS Cookies as “a lightweight DNS transaction security mechanism” for clients and servers. While the idea offers only “limited protection”, the authors say they can help address denial-of-service, amplification, forgery, and cache poisoning attacks.

For the privacy-conscious, the authors note that their proposal is that the DNS cookies only be returned to their originating IP address, preventing them being used as a tracking mechanism.

The protection offered by the DNS cookie, the RFC says, comes from the fact that an attacker would have to guess the 64-bit pseudorandom value of the cookie.

The client cookie would be calculated using the client's IP address, the server IP address, and “a secret value known only to the client”. The client's IP address, the client cookie, and a secret known to the server would be used to calculate the server cookie.

Here's how the authors imagine the cookies would help in various DNS attack scenarios:

  • DoS attacks using forged addresses – the basic DNS denial-of-service attack uses a forged client address. The cookie doesn't block such attacks – but it does identify the client by its real IP address, which makes attribution more feasible, making the attack less anonymous;
  • DNS amplification – from the RFC: “Enforced DNS Cookies would make it hard for an off-path attacker to cause any more than rate-limited short error responses to be sent to a forged IP address, so the attack would be attenuated rather than amplified”.
  • Server DoS – any DNS request accepted by a server uses its resources, making it relatively straightforward to hose a server by flooding it with requests. The cookies make it very easy to reject forged requests “before any recursive queries or public key cryptographic operations are performed.”
  • Cache poisoning and answer forgery attacks – the DNS cookies let resolvers reject forged replies.

The RFC also lays out an incremental rollout scheme for DNS cookies. ®

Bootnote: *IETF RFCs are the work of individuals, not their employers, but affiliations get a mention as a courtesy. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like