Vulnerability to cache poisoning -- the rest of the solution

Mark Andrews Mark_Andrews at isc.org
Wed Jul 16 00:09:04 UTC 2008


> Mark Andrews wrote:
> >> Hi there,
> >>
> >> On Tue, 15 Jul 2008, Mark Andrews wrote:
> >>
> >>     
> >>>> Will BIND randomize query TCP source ports as well (when TCP is
> >>>> required) with these new patches?
> >>>>         
> >>> 	TCP doesn't need to randomise the port.  Your TCP stack
> >>> 	should be randomising the 32 bit TCP sequence number it
> >>> 	uses when establishing a connection.  If it doesn't, get a
> >>> 	new OS as the one you have is ancient and full of security
> >>> 	holes.
> >>>
> >>> 	This makes TCP much harder, but not impossible, to spoof
> >>> 	than UDP.
> >>>       
> >> As an interim measure, I take it that using TCP only isn't an option?
> >>     
> >
> > 	No.  You have people that believe they can block TCP
> > 	connections to DNS servers despite the RFC's saying they
> > 	SHOULD be open.
> >   
> Well, more fundamentally than that, it would be a violation of RFC 1123 
> (Section 6.1.3.2 Transport Protocols: "DNS resolvers and recursive 
> servers MUST support UDP"), and TCP is a much bigger resource hog.
> 
>                                                                          
>             - Kevin

	RFCs can be updated.  If it was felt that the only way to
	address this problem was to go to TCP then I'm sure that a
	RFC could have made it through the review process in enough
	time to stop complaints.

	DNSSEC is the solution the IETF choose years ago to deal
	with spoofed DNS traffic.   It also deals with several other
	problems including man in the middle attacks.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list