dig source port patch
Jim Reid
jim at rfc1035.com
Mon Sep 1 09:43:59 UTC 2003
>>>>> "Simon" == Simon Waters <Simon at wretched.demon.co.uk> writes:
Simon> On the other hand one cache (not BIND) uses a different
Simon> source port for each query because this makes it harder to
Simon> spoof answers (the DNS antispoofing mechanism being quite
Simon> weak).
This is a popular misconception. Randomly changing the source port
number for outgoing queries does ABSOLUTELY NOTHING "to make it harder
to spoof queries". An attacker will see the query as it goes by. So
they'll already know the source port number (and query ID) no matter
how randomly they were selected. Even if the attacker can't see the
name server's queries -- nobody should assume that -- the name spaces
for both source port numbers and query IDs is only 64k each. So this
is easily overcome with a brute force flood attack, except for the
script kiddies who don't have ready access to the bandwidth to pump
out 64k * 64k spoof responses in less than (say) 5 seconds.
TSIG or DNSSEC are the only viable ways of preventing DNS spoofing.
More information about the bind-users
mailing list