The other problem with DNSSEC is that it does not get you anything today - a first correct answer sent as a plain DNS response will still cause the DNS server to ignore subsequent responses. It seems like there should be some way to block responses from a client after a given number of incorrect UDP port injection attempts - at least then an attacker would have to distribute his attack across many different attacking computers instead of sending millions of unsolicited responses from a single computer.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds