Re: DNS security (Was: re: terminal services)

[Mikael Olsson <mikael.olsson () clavister com>]

"Reckhard, Tobias" wrote:
> On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:
> > Let's not forget that nailing DNS source ports to 53 reduces somewhat
> > (though by a trivial ammount) resistance to blind spoofing attacks.
>
> Does that actually increase resistance against spoofing attacks? 

Yes.

> The DNS ID can be used for much better protection against spoofing attacks.
> dnscache uses a cryptographic generator for it.

dnscache also uses a new random port number each time.

There's no cryptographic difference between randomizing the source
port and the ID. They're both 16-bit numbers.

There is however a world of a difference between randomizing just
one, and randomizing both. All of a sudden, you go from 
"gotta hit 1 out of 65536 to get me", to
"gotta hit 1 out of 4294967296 to get me".


> > For non-recursive resolvers, it may be a slight issue, since
> > fewer packets
> > gives a good chance to win a race.
>
> I'm sorry, I don't understand what you mean.

It's easier to beat the odds if the resolver has multiple
queries outstanding.  And the odds don't just increase 
linearly.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards