[Dylan16807]

At a level that needs OS cooperation to detect, there are packets with invalid ports or invalid sequence numbers for TCP. On top of that, the requests themselves have a 16-bit ID that acts as a random cookie. If we could extend DNS to make the ID bigger that would solve the problem by itself. There have been attempts to use rAnDOm CAsE to make spoofing harder, but it only works on some DNS servers.

For attacks like this, there are thousands to billions of spoofed responses coming in. It's not subtle at all, or very hard to keep track of the domains under fire.

Edit: Oh wait, the queries themselves? That's a very different problem and there's no good solution. Harass more ISPs into implementing filters that drop spoofed IPs from their users.

[JdeBP]

Daniel J. Bernstein discussed the collision likelihoods with message ID and port numbers years ago, which he later repeated on his WWW site; distinguishing between various forms of attackers according to how much network access they have (for snooping the query traffic). From the design of his TAICLOCK protocol one could tell that such thinking had been a contributory factor. 236 bytes are available for (say) a client-generated random number.

* http://cr.yp.to/proto/taiclock.txt

* http://cr.yp.to/djbdns/forgery.html