Vulnerability to cache poisoning -- the rest of the solution
Kevin Darcy
kcd at chrysler.com
Tue Jul 15 19:28:16 UTC 2008
Mark Andrews wrote:
>> Hi there,
>>
>> On Tue, 15 Jul 2008, Mark Andrews wrote:
>>
>>
>>>> Will BIND randomize query TCP source ports as well (when TCP is
>>>> required) with these new patches?
>>>>
>>> TCP doesn't need to randomise the port. Your TCP stack
>>> should be randomising the 32 bit TCP sequence number it
>>> uses when establishing a connection. If it doesn't, get a
>>> new OS as the one you have is ancient and full of security
>>> holes.
>>>
>>> This makes TCP much harder, but not impossible, to spoof
>>> than UDP.
>>>
>> As an interim measure, I take it that using TCP only isn't an option?
>>
>
> No. You have people that believe they can block TCP
> connections to DNS servers despite the RFC's saying they
> SHOULD be open.
>
Well, more fundamentally than that, it would be a violation of RFC 1123
(Section 6.1.3.2 Transport Protocols: "DNS resolvers and recursive
servers MUST support UDP"), and TCP is a much bigger resource hog.
- Kevin
More information about the bind-users
mailing list