dig source port patch
Jim Reid
jim at rfc1035.com
Thu Sep 4 19:21:14 UTC 2003
>>>>> "Jonathan" == Jonathan de Boyne Pollard <J.deBoynePollard at tesco.net> writes:
Jonathan> (This would be one of the more effective ways of hijacking
Jonathan> resolving proxy DNS server softwares that use the "root
Jonathan> hints" paradigm.)
That's all resolving name servers in other words. Nothing short of
digitally signing DNS packets is going to prevent flood attacks with
bogus data from spoofing resolvers. Rate limiters and so on might make
successful attacks harder, but they won't make them impossible. And
the bad guy only has to get lucky once. Even if the outgoing query has
a random port number.
More information about the bind-users
mailing list