LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Recursive servers, but not proxy servers, affected.

Recursive servers, but not proxy servers, affected.

Posted Jul 8, 2008 22:40 UTC (Tue) by rfunk (subscriber, #4054)
In reply to: Recursive servers, but not proxy servers, affected. by endecotp
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)

As I read it, it's a vulnerability in anything that acts as DNS client software. The fact that the glibc resolver is considered vulnerable indicates to me that it's not just recursive DNS that's a problem.

It appears that BIND 9 was fixed for this problem by implementing UDP source port randomization for the queries.

I've been looking into dnsmasq. It appears to rely on the underlying OS to choose the client port for queries. (Its random-number routine is used to generate a query ID, not a port number.) So I suppose the question then becomes whether Linux randomizes UDP client ports sufficiently and properly to address this issue. an IETF draft says Linux does source-port randomization, but it'd be nice to find a more specific authoritative source.

(Log in to post comments)

Recursive servers, but not proxy servers, affected.

Posted Jul 9, 2008 10:59 UTC (Wed) by rberger (guest, #52829) [Link] 

Apparently, in terms of a fixed query source port, dnsmasq seems to be vulnerable anyway. I
made some tests on my router - running kernel 2.6.25.10 - and the source port dnsmasq used to
forward requests to my ISP's name servers was all the same for several queries.

As I understand it, you can specify a source port via config or command line, or dnsmasq will
pick one randomly at startup. But once it is chosen, it apparently will use it for all queries
from this point on.

Since it doesn't recurse, dnsmasq won't be top priority I guess, as an attacker would have to
spoof one of the ISP's nameservers, which is much more unlikely than spoofing one of the
servers on a recursive resolution path. So I'd be interested in my ISP getting his servers
straight in the first place.

But it would still be nice if this got fixed some time, given the attention this issue draws.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds