DNS Cookies Support

killamjr · May 30, 2018, 2:28pm

This is a feature request: Add support for DNS Cookies for more secure DNS requests.

A good article regarding DNS cookies:

Benefits:
Makes DNS cache poisoning very difficult
Prevent Spoofed DNS

DL6ER · May 31, 2018, 4:01pm

@killamjr Please contact the maintainer of dnsmasq for adding support for DNS cookies if you want to use them. This is a mandatory process for eventually supporting them in Pi-hole.

jpgpi250 · June 6, 2018, 7:21am

I asked...

'quote'
I'm interested to look at this, but dnsmasq development is pretty simon-bandwidth limited, so no promises.
'/quote'

jpgpi250 · June 13, 2018, 2:18pm

Follow up by Simon...

'quote'
Thinking about this more, specifically the cost/benefit. In the pi-hole case, the dnsmasq->unbound network path is local, so not much in need of spoof protection. Much more useful would be dnsmasq talking to ISP recursive servers or Google/cloudflare public DNS. Problem is that protection only happens if the upstream implements cookies too, and so far I can't find a single one which does. Certainly 8.8.8.8, 1.1.1.1 and 9.9.9.9 don't and neither does my ISPs.
'/quote'

Anybody knows an ISP (and the DNS servers IP addresses) that actually implemented this RFC?

DL6ER · June 13, 2018, 2:41pm

AFAIK, most (if not all) root servers and many TLD servers support DNS cookies since 2016. However, I'm also not aware of a recursive server that would be directly accessible for using in dnsmasq.

I think you can test if a given server supports DNS cookies using something like

dig +cookie google.com @1.1.1.1

given you have a sufficiently recent version of dig (I have 9.11.0).

jpgpi250 · June 13, 2018, 6:01pm

Can unbound evaluate DNS cookies?

rj45 · April 14, 2020, 8:00pm

BUMP, I'd like to see this