Vulnerability to cache poisoning -- the rest of the solution
Mark Andrews
Mark_Andrews at isc.org
Tue Jul 15 09:13:28 UTC 2008
> Hi there,
>
> On Tue, 15 Jul 2008, Mark Andrews wrote:
>
> > > Will BIND randomize query TCP source ports as well (when TCP is
> > > required) with these new patches?
> >
> > TCP doesn't need to randomise the port. Your TCP stack
> > should be randomising the 32 bit TCP sequence number it
> > uses when establishing a connection. If it doesn't, get a
> > new OS as the one you have is ancient and full of security
> > holes.
> >
> > This makes TCP much harder, but not impossible, to spoof
> > than UDP.
>
> As an interim measure, I take it that using TCP only isn't an option?
No. You have people that believe they can block TCP
connections to DNS servers despite the RFC's saying they
SHOULD be open.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list