oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS vulnerability: other relevant software

From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 09 Jul 2008 20:13:02 +0200
* Mark J. Cox:


Additionally, Debian has noted (DSA 1605-1) that the GNU libc stub
resolver could benefit from random query source ports as well, but
no patches are currently available to implement this:


Note that GNU libc stub resolver when used with a recent kernel
(2.6.24+) will give you random UDP source ports on each request
because of this Linux commit:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30


Is net_random() cryptographically secure?  The paper referenced in the
source doesn't talk about this.


Vendors may with to consider backporting that kernel patch as an
effective mitigation without requiring glibc changes (and with the
advantage of being able to be have a customized range using
ip_local_port_range etc)


This still leaves the transaction ID generation to deal with.  It's
rdtsc on amd64 (don't know if this is good enough), but
gettimeofday-based on some other architectures.
Previous By Date Next
Previous By Thread Next

Current thread: