Vulnerability to cache poisoning -- the rest of the solution
Mark Andrews
Mark_Andrews at isc.org
Wed Jul 16 00:09:04 UTC 2008
> Mark Andrews wrote:
> >> Hi there,
> >>
> >> On Tue, 15 Jul 2008, Mark Andrews wrote:
> >>
> >>
> >>>> Will BIND randomize query TCP source ports as well (when TCP is
> >>>> required) with these new patches?
> >>>>
> >>> TCP doesn't need to randomise the port. Your TCP stack
> >>> should be randomising the 32 bit TCP sequence number it
> >>> uses when establishing a connection. If it doesn't, get a
> >>> new OS as the one you have is ancient and full of security
> >>> holes.
> >>>
> >>> This makes TCP much harder, but not impossible, to spoof
> >>> than UDP.
> >>>
> >> As an interim measure, I take it that using TCP only isn't an option?
> >>
> >
> > No. You have people that believe they can block TCP
> > connections to DNS servers despite the RFC's saying they
> > SHOULD be open.
> >
> Well, more fundamentally than that, it would be a violation of RFC 1123
> (Section 6.1.3.2 Transport Protocols: "DNS resolvers and recursive
> servers MUST support UDP"), and TCP is a much bigger resource hog.
>
>
> - Kevin
RFCs can be updated. If it was felt that the only way to
address this problem was to go to TCP then I'm sure that a
RFC could have made it through the review process in enough
time to stop complaints.
DNSSEC is the solution the IETF choose years ago to deal
with spoofed DNS traffic. It also deals with several other
problems including man in the middle attacks.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list