How do I randomize the DNS source port number?
Jim Reid
jim at rfc1035.com
Tue Jul 30 15:33:46 UTC 2002
> Randomising the port number used for queries doesn't really make any
> difference. It certainly doesn't make things "more secure". At best it
> raises the bar a little for an attacker, but not enough to matter. If
> you assume the attacker can see your name server's queries, they
> already know the server's source port number for that query. So in
> that case what's the point of a continually changing randomised port
> number? [The attacker would probably want/need to see those queries so
> they could put together a suitable fake response.] If you assume an
> attacker can't see those queries, you're kidding yourself. And anyway,
> what would stop a blunderbuss approach where the attacker from just
> sends the same fake reply to every one of the server's 64k UDP ports?
Phil> This isn't the usual scenario. The attack is not in the form of a
Phil> query, but rather, is in the form of a response forging the source
Phil> address of an anticipated query of another server. The attacker can
Phil> get the port number of causing a query to happen that goes to his
Phil> own server (for which it would give a normal response so it would not
Phil> raise any flags, and can be hours earlier than the attack).
The scenario you raise is only one of the ways of DNS spoofing, and a
not particularly effective one at that. I'm not going to say any more
about this because it might give too many clues to the people in black
hats.
More information about the bind-users
mailing list