A proposal raised late May at the Internet Engineering Task Force (IETF) suggests adding cookies to the DNS to help defend the critical system against denial-of-service exploits.

The domain name system (DNS) is an old and fundamental piece of the Internet architecture, providing translation between human-readable addresses like theregister.com and IP addresses.

The DNS has also been exploited several times over the years as a traffic amplifier in DoS attacks. [amplification attacks]

RFC 7873, authored by Donald Eastlake (Huawei*) and Mark Andrews (ISC*), puts forward the intriguing notion that a simple cookie deployment could help.

They describe DNS Cookies as “a lightweight DNS transaction security mechanism” for clients and servers. While the idea offers only “limited protection”, the authors say they can help address denial-of-service, amplification, forgery, and cache poisoning attacks.

For the privacy-conscious, the authors note that their proposal is that the DNS cookies only be returned to their originating IP address, preventing them being used as a tracking mechanism.

The protection offered by the DNS cookie, the RFC says, comes from the fact that an attacker would have to guess the 64-bit pseudorandom value of the cookie.

The client cookie would be calculated using the client's IP address, the server IP address, and “a secret value known only to the client”. The client's IP address, the client cookie, and a secret known to the server would be used to calculate the server cookie.

Here's how the authors imagine the cookies would help in various DNS attack scenarios:

DoS attacks using forged addresses – the basic DNS denial-of-service attack uses a forged client address. The cookie doesn't block such attacks – but it does identify the client by its real IP address, which makes attribution more feasible, making the attack less anonymous;

DNS amplification – from the RFC: “Enforced DNS Cookies would make it hard for an off-path attacker to cause any more than rate-limited short error responses to be sent to a forged IP address, so the attack would be attenuated rather than amplified”.

Server DoS – any DNS request accepted by a server uses its resources, making it relatively straightforward to hose a server by flooding it with requests. The cookies make it very easy to reject forged requests “before any recursive queries or public key cryptographic operations are performed.”

Cache poisoning and answer forgery attacks – the DNS cookies let resolvers reject forged replies.

The RFC also lays out an incremental rollout scheme for DNS cookies. ®

Bootnote: *IETF RFCs are the work of individuals, not their employers, but affiliations get a mention as a courtesy. ®