Our DNS privacy service's resolver hosts do not send ICMP packets in response to closed UDP ports (net.inet.udp.blackhole=1).

This disrupts the SAD DNS cache poisoning attack.

· · Web · 1 · 0 · 3

@applied_privacy It is also mitigated with just DROPing everything by default, isn't it? Using DROP instead of REJECT (or nothing at all) does not generate a destination / port unreachable icmp reply?

cc @infosechandbook

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!