mirror of
https://github.com/hickory-dns/hickory-dns.git
synced 2026-04-25 19:25:56 +03:00
[GH-ISSUE #2390] Randomize capitalization of queries for spoofing resistance #979
Labels
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/hickory-dns#979
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @divergentdave on GitHub (Aug 27, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2390
Is your feature request related to a problem? Please describe.
I'm interested in using randomized capitalization as described in draft-vixie-dnsext-dns0x20-00 as a defense-in-depth measure against DNS response spoofing.
Describe the solution you'd like
This feature would randomize the 0x20 bit of alphabetical characters in outgoing queries, and require that responses mirror the exact same capitalization of the query. This provides additional entropy, on top of the message ID and the client's UDP source port, and makes network-based DNS attacks harder. This feature should be configurable, since there are rare DNS implementations that lowercase the query in their responses. A fallback mechanism may be necessary as well, like that described in section 6.4 of the above I-D.
Describe alternatives you've considered
Additional context
See Unbound's
use-caps-for-idandcaps-exemptconfiguration parameters for comparison. Google Public DNS has also implemented this feature in their recursor.@bluejekyll commented on GitHub (Mar 2, 2025):
@divergentdave , is this fixed at this point?
@divergentdave commented on GitHub (Mar 2, 2025):
No, #2683 is currently blocked on a review
@divergentdave commented on GitHub (Apr 25, 2025):
Implemented in #2683.