Firewall Wizards mailing list archives
Re: DNS security (Was: re: terminal services)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 31 Jan 2003 11:32:51 +0100
"Reckhard, Tobias" wrote:
On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:Let's not forget that nailing DNS source ports to 53 reduces somewhat (though by a trivial ammount) resistance to blind spoofing attacks.Does that actually increase resistance against spoofing attacks?
Yes.
The DNS ID can be used for much better protection against spoofing attacks. dnscache uses a cryptographic generator for it.
dnscache also uses a new random port number each time. There's no cryptographic difference between randomizing the source port and the ID. They're both 16-bit numbers. There is however a world of a difference between randomizing just one, and randomizing both. All of a sudden, you go from "gotta hit 1 out of 65536 to get me", to "gotta hit 1 out of 4294967296 to get me".
For non-recursive resolvers, it may be a slight issue, since fewer packets gives a good chance to win a race.I'm sorry, I don't understand what you mean.
It's easier to beat the odds if the resolver has multiple queries outstanding. And the odds don't just increase linearly. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: terminal services, (continued)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Reckhard, Tobias (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: terminal services Barney Wolff (Jan 29)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)