## page was renamed from DNS/1/security/Wouters-BlackHat
## page was renamed from DNS/基礎知識/security/Wouters-BlackHat
## page was renamed from DNS/security/Wouters-BlackHat

= BlackHat DC 09 Wouters =

http://www.blackhat.com/presentations/bh-dc-09/Wouters/BlackHat-DC-09-Wouters-Post-Dan-Kaminsky-slides.pdf
 BlackHat DC 09 Wouters Post Dan Kaminsky slides pdf documents

-----
== Two phase deployment  ==
{{{
• First release a generic fix for the Kaminsky attack that does not leak information to the bad guys
 (source port randomization)
}}}

{{{
• Then release the bug and patches specifically against the Kaminsky attack
}}}
-----
== The inevitable: Fix recursive nameservers ==
{{{
  Port randomization
  Sanitize TTL's
  Use more IP addresses per DNS server
  Harden against bogus size packets
  Harden glue
  Additional queries for infrastructure data
  0x20
}}}
------
== Hardening infrastructure queries ==

 * Before accepting NS records or A records of nameservers, ask at least two different nameservers.
 * Before accepting glue records or additional data, indepedantly verify these with new queries.
(extra work is only needed once, then we use caching – minimum impact)