No subject


Tue Apr 2 00:56:56 UTC 2013 

attacker MUST be able to send some packets to your DNS with some fake
requests in order to guess at the starting point for the transaction ID's,
otherwise they have to guess... So they have to get at least one
response...  I read that on the doxpara site...???? I guess I am not
understanding because my DNS does not allow incoming connections so the
attacker must A- guess that I have a DNS server and B- must send at least
one packet to get a response back in order to start the attack...???
otherwise they are guessing a 16bit trasaction ID and also they must guess
what port my requests are going out on... even thought it is not random they
have no way of knowing what it is?
Am I right?

On Wed, Aug 13, 2008 at 9:46 AM, Chris Buxton <cbuxton at menandmice.com>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> No, you are not safe. The incoming packets from the attacker will have a
> forged source address, and they will appear to be responses to queries that
> your server is sending out. They are triggered by an outbound query from
> your server, which will have been triggered by a host on the inside. Even if
> your firewall matches up transaction ID's of query and response, that just
> means that only the actually successful attack packets will get through your
> firewall - the ones that would have failed will be blocked.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
>
> On Aug 13, 2008, at 6:15 AM, John Smith wrote:
>
>  So I have a caching only DNS server that is behind a firewall and has no
>> incoming connections allowed unless specifically requested from inside. My
>> DNS server does contact the root DNS servers upstream. But again incoming
>> conections are only allowed into my DNS server unless the originated from
>> the inside.
>> As far as I understand the problem for the recent DNS issues is from
>> someone
>> on the outside of my firewall ( I am ignoring an attack from the inside)
>> would have to send my DNS server (which they cannot) some DNS requests in
>> order to get a reply for them to attack?
>> Am I right? so since I do not have external access to port 53 I am
>> relatively safe?
>>
>> Since my DNS is not randomizing ports but is radomizign transaction id's?
>>
>> Just curious.
>>
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkii5b4ACgkQ0p/8Jp6Boi2IKgCgsy09b1OfLLpTmGtsvHjZ1+GW
> 4okAnjXGVcY05yaldimONKBj1YxRLVso
> =MYVz
> -----END PGP SIGNATURE-----
>

More information about the bind-users mailing list