DNS-over-TCP considered vulnerable

The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead. In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP. Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.