Firewall Wizards mailing list archives
RE: terminal services
From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Thu, 30 Jan 2003 08:10:45 +0100
On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:
Let's not forget that nailing DNS source ports to 53 reduces somewhat (though by a trivial ammount) resistance to blind spoofing attacks.
Does that actually increase resistance against spoofing attacks? If a DNS client uses a new, randomly chosen source port for every query, it's got a list of valid response ports. Return packets with different destination ports can be dropped immediately. If I restrict myself to one randomly chosen source port, that protection deteriorates over time. If I use a well-known and therefore predictable source port, I've lost that protection completely. It means I have to accept each and every packet coming in as long as I've got outstanding queries. The DNS ID can be used for much better protection against spoofing attacks. dnscache uses a cryptographic generator for it. And see also: http://cr.yp.to/djbdns/forgery.html
For non-recursive resolvers, it may be a slight issue, since fewer packets gives a good chance to win a race.
I'm sorry, I don't understand what you mean.
For recrusive resolvers, or resolvers doing resolution based on external factors (like e-mail,) it's probably not much of an issue to predict the query port.
If they are chosen randomly for individual queries, I do believe an attacker would have serious difficulties predicting them. What kind of an issue do you mean, difficulty for the attacker or security issue for the defender?
Cache poisoning attacks being easier certainly aren't a good thing, even if it's a very small bit easier.
But locking the source port is counterproductive.
I think next time I have to build a network though, the mailserver's DNS will be seperate from the general populace's resolver.
What would the differences in their configuration be? Cheers, Tobias _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: firewall design (was: RE: terminal services ), (continued)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Reckhard, Tobias (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: terminal services Barney Wolff (Jan 29)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)