On Tue, 28 Apr 2020, Davey Song wrote:
OK. It make sense to try every name servers to defend the case if the adversary only intercept one path. But the adversary also know the resolver will retry other servers. So a smarter adversary may intercept in the aggregated upstreaming path where all queries are sent.
Then those adversaries that seem able to block any packets from reaching you, can also block 8.8.8.8 and all known DoT and DoH servers by IP ? And send you RST packets. But if the attacks have that much power, they can also just RST all your TLS connections to webservers and just let let you have your DNS packets. I think you need to be a little more exact on the attack you are describing and what would be a sensible defense. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop