How do I randomize the DNS source port number?

Simon Waters Simon at wretched.demon.co.uk
Sat Jul 27 23:59:52 UTC 2002 

phil-news-nospam at ipal.net wrote:
> 
> | An attacker taking that approach to DoS would have to be both
> | clever, and keen on doing things the hard way....
> 
> Doesn't seem clever to me in hindsight.  It's just not something
> I ever thought about before.  Forging packets is known "art".
> Poisoning cache is a known "art" (and as far as I know it can
> still be done if the response is "from" the right server, comes
> to the right port, is in response to a pending query, and applies
> to the zone the queried server is known to be authoritative for).

You also have to either intercept the query, or guess the DNS ID
in the query, only a 1 in 65536 chance (random ports boost this
to close to (but less than) 1 in 65536^2, but that is why you
would expect to see a lot of packets, not only does he have to
get the right 400ms or so query/response gap, but in that 400ms
he must get the right DNS ID in the spoofed reply.

I'm not sure a simple wildcard response would poison (I haven't
tried it, but you aren't asking for the wildcard in the query so
it isn't a valid response), you would probably need to reply
with updates to the NS, and then have such a wildcard on your
own name servers (revealing the attackers name servers in the
dump of the database).

Yes it is a known attack, and there maybe tools out there to
help script kiddies do it, but you need an ISP that allows
spoofed packet injection, a certain amount of DNS know how, and
patience.

It just seems a lot of trouble to go to, to annoy one admin and
disrupt one mail server for a short period, compared to the
alternative attacks on mail servers. I'm not saying it didn't
happen, but without the dump you'll probably never know.

Restricting queries to your recursive name servers from external
addresses means they can't see when records will expire. Many
firewalls and BIND kick up a fuss when they see bad packets in a
brute force poisoning attempt, if the logs are clean, and it
wasn't a brute force poisoning, then he can see your packets, in
which case as Jim pointed out changing the query port is no
defence.

More information about the bind-users mailing list