Vulnerability to cache poisoning -- the rest of the solution

Kevin Darcy kcd at chrysler.com
Tue Jul 15 19:28:16 UTC 2008


Mark Andrews wrote:
>> Hi there,
>>
>> On Tue, 15 Jul 2008, Mark Andrews wrote:
>>
>>     
>>>> Will BIND randomize query TCP source ports as well (when TCP is
>>>> required) with these new patches?
>>>>         
>>> 	TCP doesn't need to randomise the port.  Your TCP stack
>>> 	should be randomising the 32 bit TCP sequence number it
>>> 	uses when establishing a connection.  If it doesn't, get a
>>> 	new OS as the one you have is ancient and full of security
>>> 	holes.
>>>
>>> 	This makes TCP much harder, but not impossible, to spoof
>>> 	than UDP.
>>>       
>> As an interim measure, I take it that using TCP only isn't an option?
>>     
>
> 	No.  You have people that believe they can block TCP
> 	connections to DNS servers despite the RFC's saying they
> 	SHOULD be open.
>   
Well, more fundamentally than that, it would be a violation of RFC 1123 
(Section 6.1.3.2 Transport Protocols: "DNS resolvers and recursive 
servers MUST support UDP"), and TCP is a much bigger resource hog.

                                                                         
            - Kevin



More information about the bind-users mailing list