We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen. I wanted to put together a couple of tips to avoid common errors:
Anything I forgot? Please add a comment... Couple URLs to use as a reference: http://dnsviz.net/ - Really nice visualization tool. ------ |
Johannes 4511 Posts ISC Handler Jun 28th 2011 |
Thread locked Subscribe |
Jun 28th 2011 1 decade ago |
Relating to EDNS0, and DNS responses larger than one packet, I once set up Linux IPTables to allow incoming UDP traffic to port 53 thinking that was enough. But IPTables 'port' matches don't match UDP fragments after the first one, so you either need to use stateful matching (-m state --state related,established) or specifically accept trailing fragments (the iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).
|
Anonymous |
Quote |
Jun 29th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!