Vulnerability to cache poisoning -- the rest of the solution

Mark Andrews Mark_Andrews at isc.org
Tue Jul 15 09:13:28 UTC 2008


> Hi there,
> 
> On Tue, 15 Jul 2008, Mark Andrews wrote:
> 
> > > Will BIND randomize query TCP source ports as well (when TCP is
> > > required) with these new patches?
> >
> > 	TCP doesn't need to randomise the port.  Your TCP stack
> > 	should be randomising the 32 bit TCP sequence number it
> > 	uses when establishing a connection.  If it doesn't, get a
> > 	new OS as the one you have is ancient and full of security
> > 	holes.
> >
> > 	This makes TCP much harder, but not impossible, to spoof
> > 	than UDP.
> 
> As an interim measure, I take it that using TCP only isn't an option?

	No.  You have people that believe they can block TCP
	connections to DNS servers despite the RFC's saying they
	SHOULD be open.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list