The NONCE record allows a DNS client to prevent DNS spoofing attacks by
effectively increasing the size of the request ID value.
The NONCE record is a dummy DNS record. A query requesting a NONCE record
results in the query parameters being returned to the requestor verbatim.
Certain DNS extensions may specify that a server that returns the record
types specified MUST support the NONCE record.
A DNS server may use the NONCE record as an aide to preventing DNS spoofing
and cache poisoning attacks as follows:
The DNS client attaches the NONCE query to every DNS request. When employed
in a legacy environment the client cannot immediately tell the difference
between a DNS spoofing attack and a response from a legacy server that does
not support NONCE.
A DNS client supporting the NONCE record SHOULD maintain a record of all DNS
responses that are unsolicited (did not result from a request made by the
client). If the number of responses exceeds a certain threshold the DNS
client changes state to UNDER-ATTACK
In the UNDER-ATTACK state the DNS client will only accept a DNS response if
and only if:
1) The response contains a valid NONCE value.
2) The first response to a question has a valid request ID.
If the DNS client recieves a spoofed response to a query the query state is
changed to SUSPICIOUS. The client MUST then reject all responses received to
that query unless the response has an accompanying and correct NONCE record.
A DNS client MAY route queries that are marked as SUSPICIOUS to another DNS
server for resolution.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg