The Internet Engineering Task Force or IETF is a structured pursuit of the Internet Society or ISOC, which is a non-profit organization. The core mission of the IETF is to produce technical documents that can help organizations and individuals design, manage and use the Internet more effectively. A recent IETF publication advises that developers can enhance DNS security against denial-of-service exploits by adding cookies, those same files used to track user sessions on the Web.
Fundamental Issues with DNS
The domain name system or DNS is a fundamental yet old and arguably outmoded aspect of the foundation of the Internet. Its most basic and essential function is to translate between IP addresses and addresses that humans can read and remember easily. dns security is a substantial and increasing security concern because DNS is often manipulated as traffic amplifiers in DoS attacks.
Introducing RFC 7873
In RFC 7873, which was put forth by IETF participants Donald Eastlake and Mark Andrews, the authors explore the idea that these amplification attacks could be mitigated and thus DNS security enhanced via cookie deployment. The document defines a cookie as being a lightweight mechanism for security transactions, which could provide limited but useful and efficient protection against amplification, forgery, cache poisoning and other DNS security concerns.
How Cookies Would Work
Such cookies could not be used to track users since they’d only be returnable to the originating address, and the added protection would come via the fact that attackers would need to guess the 64-bit value of the cookie, which would be nigh impossible given the time limitations. Client cookies would be created by using the server IP address, the client IP address and a randomized value known only to the client. Server cookies would be similar, but the secret value would be known only to the server.
The document also provides a number of practical illustrations of how these cookies can enhance DNS security in real-world scenarios, such as:
• Server DoS — A cookie would make it easy to identify fake requests. This would not eliminate the impact, but it would mitigate it greatly by avoiding unnecessary cryptographic mechanisms, recursive queries and other resource-intensive operations.
• DNS Amplification — Amplification attacks are successful because of heightened traffic, but cookies would make it difficult for attackers to achieve much more than limited error responses. That wouldn’t be very useful to them and would theoretically eliminate amplification as a security risk.
• Forged addresses — Basic DoS attacks employ forged client addresses. Cookies won’t help thwart such attacks, but they would make it much easier to identify legitimate communication. That’s half the battle since resources can be allocated to the appropriate clients more easily.