[GH-ISSUE #2390] Randomize capitalization of queries for spoofing resistance #979

New issue

Closed

opened 2026-03-16 01:09:15 +03:00 by kerem · 3 comments

kerem commented

2026-03-16 01:09:15 +03:00

Owner

Originally created by @divergentdave on GitHub (Aug 27, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2390

Is your feature request related to a problem? Please describe.
I'm interested in using randomized capitalization as described in draft-vixie-dnsext-dns0x20-00 as a defense-in-depth measure against DNS response spoofing.

Describe the solution you'd like
This feature would randomize the 0x20 bit of alphabetical characters in outgoing queries, and require that responses mirror the exact same capitalization of the query. This provides additional entropy, on top of the message ID and the client's UDP source port, and makes network-based DNS attacks harder. This feature should be configurable, since there are rare DNS implementations that lowercase the query in their responses. A fallback mechanism may be necessary as well, like that described in section 6.4 of the above I-D.

Describe alternatives you've considered

Not using bit 0x20 randomization: status quo, only has 16 to ~32 bits of entropy depending on the deployment scenario
Repeat all queries and compare results: similar to the fallback in section 6.4, resource-intensive
Use DNSSEC to authenticate responses, regardless of the security of the transport: only protects zones that deploy it
Use DoT/DoQ-to-the-authority, to secure the transport layer: can be done opportunistically (RFC 9539), but only protects zones with nameservers that deploy it

Additional context
See Unbound's use-caps-for-id and caps-exempt configuration parameters for comparison. Google Public DNS has also implemented this feature in their recursor.

Originally created by @divergentdave on GitHub (Aug 27, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2390 **Is your feature request related to a problem? Please describe.** I'm interested in using randomized capitalization as described in [draft-vixie-dnsext-dns0x20-00](https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00) as a defense-in-depth measure against DNS response spoofing. **Describe the solution you'd like** This feature would randomize the 0x20 bit of alphabetical characters in outgoing queries, and require that responses mirror the exact same capitalization of the query. This provides additional entropy, on top of the message ID and the client's UDP source port, and makes network-based DNS attacks harder. This feature should be configurable, since there are rare DNS implementations that lowercase the query in their responses. A fallback mechanism may be necessary as well, like that described in section 6.4 of the above I-D. **Describe alternatives you've considered** * Not using bit 0x20 randomization: status quo, only has 16 to ~32 bits of entropy depending on the deployment scenario * Repeat all queries and compare results: similar to the fallback in section 6.4, resource-intensive * Use DNSSEC to authenticate responses, regardless of the security of the transport: only protects zones that deploy it * Use DoT/DoQ-to-the-authority, to secure the transport layer: can be done opportunistically (RFC 9539), but only protects zones with nameservers that deploy it **Additional context** See Unbound's `use-caps-for-id` and `caps-exempt` configuration parameters for comparison. [Google Public DNS](https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html) has also implemented this feature in their recursor.