FreeBSD 7.1 and BIND exploit
cpghost
cpghost at cordula.ws
Tue Jul 22 16:05:47 UTC 2008
On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
> I'm curious, is djbdns exploitable, too? Does it randomize
> the source ports of UDP queries?
Apparently, djbdns had randomization of the source ports a long
time ago...
> > Of course, all solutions that randomize ports are really just
> > "security by obscurity," because by shuffling ports you're hiding the
> > way to poison your cache... a little.
>
> True, but there is currently no better solution, AFAIK.
> The problem is inherent in the way DNS queries work.
Yes indeed. If I understand all this correctly, it's because the
transaction ID that has to be sent back is only 2 bytes long, and if
the query port doesn't change as well with every query, that can be
cracked in milliseconds: sending 65536 DNS queries to a constant port
is just way too easy! The namespace is way too small, and there's no
way to fix this by switching to, say, 4 bytes or even more for the
transaction ID without breaking existing resolvers; actually without
breaking the protocol itself.
> Best regards
> Oliver
cpghost.
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-stable
mailing list