How do I randomize the DNS source port number?
Jim Reid
jim at rfc1035.com
Sat Jul 27 10:42:57 UTC 2002
>>>>> "phil" == phil-news-nospam <phil-news-nospam at ipal.net> writes:
phil> Because BIND always uses the same port number, all the
phil> attacker has to do is trick your server into sending a query
phil> to his server, log the port number you are using, and then
phil> bang away with these false responses every second or more
phil> often, until your name server actually does a real lookup.
Randomising the port number used for queries doesn't really make any
difference. It certainly doesn't make things "more secure". At best it
raises the bar a little for an attacker, but not enough to matter. If
you assume the attacker can see your name server's queries, they
already know the server's source port number for that query. So in
that case what's the point of a continually changing randomised port
number? [The attacker would probably want/need to see those queries so
they could put together a suitable fake response.] If you assume an
attacker can't see those queries, you're kidding yourself. And anyway,
what would stop a blunderbuss approach where the attacker from just
sends the same fake reply to every one of the server's 64k UDP ports?
More information about the bind-users
mailing list