Firewall Wizards mailing list archives
RE: DNS security (Was: re: terminal services)
From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Fri, 31 Jan 2003 11:44:15 +0100
Mikael Olsson wrote:
"Reckhard, Tobias" wrote:On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:Let's not forget that nailing DNS source ports to 53reduces somewhat(though by a trivial ammount) resistance to blindspoofing attacks.Does that actually increase resistance against spoofing attacks?Yes.
No. As you say yourself. See below. [snip]
dnscache also uses a new random port number each time.
[snip]
There is however a world of a difference between randomizing just one, and randomizing both. All of a sudden, you go from "gotta hit 1 out of 65536 to get me", to "gotta hit 1 out of 4294967296 to get me".
Right. So it's 64K times as difficult to spoof a DNS client that randomizes its source port as opposed to one that uses a fixed source port. That means that, using Paul's words in part, nailing DNS source ports to 53 not reduces, but instead increases somewhat resistance to blind spoofing attacks. That's my point, it's counter-productive to use a fixed source port in DNS requests, even worse to choose 53.
For non-recursive resolvers, it may be a slight issue, since fewer packets gives a good chance to win a race.I'm sorry, I don't understand what you mean.It's easier to beat the odds if the resolver has multiple queries outstanding. And the odds don't just increase linearly.
Ah, OK, I get it now. Thanks for the explanation, Mikael. Cheers, Tobias _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DNS security (Was: re: terminal services) Reckhard, Tobias (Jan 31)