On Tue, 28 Apr 2020, Davey Song wrote:

OK. It make sense to try every name servers to defend the case if the adversary 
only intercept one path. But the adversary also know the resolver will
retry other servers. So a smarter adversary may intercept in the aggregated 
upstreaming path where all queries are sent. 

Then those adversaries that seem able to block any packets from reaching
you, can also block 8.8.8.8 and all known DoT and DoH servers by IP ?
And send you RST packets.

But if the attacks have that much power, they can also just RST all your
TLS connections to webservers and just let let you have your DNS
packets.

I think you need to be a little more exact on the attack you are
describing and what would be a sensible defense.

Paul

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to