Date: Tue, 22 Jul 2008 18:05:43 +0200 From: cpghost <cpghost@cordula.ws> To: freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080722160542.GA14592@epia-2.farid-hajji.net> In-Reply-To: <200807221552.m6MFqgpm009488@lurza.secnetix.de> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote: > I'm curious, is djbdns exploitable, too? Does it randomize > the source ports of UDP queries? Apparently, djbdns had randomization of the source ports a long time ago... > > Of course, all solutions that randomize ports are really just > > "security by obscurity," because by shuffling ports you're hiding the > > way to poison your cache... a little. > > True, but there is currently no better solution, AFAIK. > The problem is inherent in the way DNS queries work. Yes indeed. If I understand all this correctly, it's because the transaction ID that has to be sent back is only 2 bytes long, and if the query port doesn't change as well with every query, that can be cracked in milliseconds: sending 65536 DNS queries to a constant port is just way too easy! The namespace is way too small, and there's no way to fix this by switching to, say, 4 bytes or even more for the transaction ID without breaking existing resolvers; actually without breaking the protocol itself. > Best regards > Oliver cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722160542.GA14592>