Vulnerability to cache poisoning -- the rest of the solution
Matthew Pounsett
matt at conundrum.com
Wed Jul 16 14:33:05 UTC 2008
On 15-Jul-2008, at 04:46 , G.W. Haywood wrote:
> Hi there,
>
> On Tue, 15 Jul 2008, Mark Andrews wrote:
>
>>> Will BIND randomize query TCP source ports as well (when TCP is
>>> required) with these new patches?
>>
>> TCP doesn't need to randomise the port. Your TCP stack
>> should be randomising the 32 bit TCP sequence number it
>> uses when establishing a connection. If it doesn't, get a
>> new OS as the one you have is ancient and full of security
>> holes.
>>
>> This makes TCP much harder, but not impossible, to spoof
>> than UDP.
>
> As an interim measure, I take it that using TCP only isn't an option?
No, it isn't. The protocol isn't designed with TCP-only in mind --
TCP is meant to be a fallback. Removing UDP would spike the ~100ms
average lookup time up sharply (altering the user experience for
things like web browsing), and would significantly increase the load
on authoritative servers everywhere. My capital costs for managing an
authoritative zone would go up by more than double. It's safe to say
that any recursive server operator that switched to TCP-only, if they
were sending enough traffic my way to be noticed, would quickly find
themselves blackholed from my servers. I'm sure there are other
operators out there who would have a similar reaction.
Matt
More information about the bind-users
mailing list