oss-sec mailing list archives
Re: DNS vulnerability: other relevant software
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 09 Jul 2008 20:13:02 +0200
* Mark J. Cox:
Additionally, Debian has noted (DSA 1605-1) that the GNU libc stub resolver could benefit from random query source ports as well, but no patches are currently available to implement this:Note that GNU libc stub resolver when used with a recent kernel (2.6.24+) will give you random UDP source ports on each request because of this Linux commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
Is net_random() cryptographically secure? The paper referenced in the source doesn't talk about this.
Vendors may with to consider backporting that kernel patch as an effective mitigation without requiring glibc changes (and with the advantage of being able to be have a customized range using ip_local_port_range etc)
This still leaves the transaction ID generation to deal with. It's rdtsc on amd64 (don't know if this is good enough), but gettimeofday-based on some other architectures.
Current thread:
- DNS vulnerability: other relevant software Matthias Geerdsen (Jul 09)
- Re: DNS vulnerability: other relevant software The Fungi (Jul 09)
- Re: DNS vulnerability: other relevant software Mark J Cox (Jul 09)
- Re: DNS vulnerability: other relevant software Florian Weimer (Jul 09)
- Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
- Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
- Re: DNS vulnerability: other relevant software Eugene Teo (Jul 10)
- Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 10)
- Re: DNS vulnerability: other relevant software Bernhard R. Link (Jul 11)
- Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 11)
- Re: DNS vulnerability: other relevant software Florian Weimer (Jul 13)
- Re: DNS vulnerability: other relevant software Mark J Cox (Jul 09)
- Re: DNS vulnerability: other relevant software The Fungi (Jul 09)
- Re: DNS vulnerability: other relevant software Florian Weimer (Jul 12)
- Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)