• Slide Image 1 Title | Welcome to D5 Smartia Theme, Visit D5 Creation for Details

    You can use D5 Smartia for Black and White looking Smart Blogging, Personal or Corporate Websites. This is a Sample Description and you can change these from Samrtia Options
  • Slide Image 2 Title | Welcome to D5 Smartia Theme, Visit D5 Creation for Details

    You can use D5 Smartia for Black and White looking Smart Blogging, Personal or Corporate Websites. This is a Sample Description and you can change these from Samrtia Options
  • Slide Image 3 Title | Welcome to D5 Smartia Theme, Visit D5 Creation for Details

    You can use D5 Smartia for Black and White looking Smart Blogging, Personal or Corporate Websites. This is a Sample Description and you can change these from Samrtia Options

Warning DNS root server upgrade network is at risk of paralysis

Posted by: | Posted on: March 4, 2017

in May 5th by ICANN, the world’s 13 root name servers will be the United States government and led by Verisign (Domain Name System DNSSEC in security Security Extensions, domain name system extension) upgrade, DNSSEC upgrade will be inserted into the digital signature in the feedback to the Internet user’s DNS request response, to ensure that the domain name address is returned without tampering.

DNSSEC is designed to prevent man in the middle attack, the man in the middle attack, hackers can hijack DNS requests, and returns a false address to the requesting party, this attack method is similar to the normal DNS redirection, it was transferred to another URL imperceptibly. (Note: actually 51CTO.com domain name hijacking and DNS cache poisoning attack is quite extensive, it is also the biggest Internet vulnerabilities DNSSEC DNS can cache loopholes, to solve this kind of problem, at the beginning of this year, Baidu DNS is because the server is caused by the attack.

)According to

Melbourne IT, chief strategy officer, ICANN director Bruce Tonkin said that this upgrade will give those unprepared for the network administrator of a standard DNS request response to be taken by surprise, often only a single packet (UDP protocol), the size is generally not more than 521 bytes, in some older network equipment, the request will be bigger than this is the factory default configuration block, it will think over the size of the data packet is abnormal.

As of

UTC 17:00 on May 5th, all sent to the DNSSEC user signature DNS parser news will be up to 2KB, is 4 times the original, but such a large packet may be many network equipment to reject, therefore the response message is likely to send packets through the TCP into a plurality of data.

Tonkin was a little worried, although DNSSEC has provided a time schedule, but many IT and network administrators have not tested their old router and firewall, if not greater DNS response packet is in trouble.

, he said: "the device in the enterprise network may block the DNS request response packet than ever before".

In fact,

DNSSEC in November 2009 in the world’s 13 root server is ready, so far, it will only lead to a lot of old network devices loaded on the web a slight delay.

not all DNS root servers will respond to each request, the DNS parser on the user machine will request the 13 root servers one by one until a satisfactory reply is returned. When all 13 of the root servers with DNSSEC signature on the line, all of the responses will not reach the old device enterprise network, Tonkin hope ISP can solve this problem





Leave a Reply

Your email address will not be published. Required fields are marked *