Recursive servers, but not proxy servers, affected.
Posted Jul 8, 2008 22:40 UTC (Tue) by rfunk
In reply to: Recursive servers, but not proxy servers, affected.
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
As I read it, it's a vulnerability in anything that acts as DNS client
software. The fact that the glibc resolver is considered vulnerable
indicates to me that it's not just recursive DNS that's a problem.
It appears that BIND 9 was fixed for this problem by implementing UDP
source port randomization for the queries.
I've been looking into dnsmasq. It appears to rely on the underlying OS to
choose the client port for queries. (Its random-number routine is used to
generate a query ID, not a port number.) So I suppose the question then
becomes whether Linux randomizes UDP client ports sufficiently and
properly to address this issue. an
IETF draft says Linux does source-port randomization, but it'd be nice
to find a more specific authoritative source.
to post comments)