| |||||||||||||
Recursive servers, but not proxy servers, affected.Recursive servers, but not proxy servers, affected.Posted Jul 9, 2008 12:44 UTC (Wed) by nix (subscriber, #2304)In reply to: Recursive servers, but not proxy servers, affected. by nix Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
Its BIND 8-derived, and as far as I can tell it does source port randomization (at least the source ports it uses on my system, with a pristine glibc 2.7, are randomized, assuming a sufficiently recent kernel).
(Log in to post comments)
Recursive servers, but not proxy servers, affected. Posted Jul 10, 2008 12:19 UTC (Thu) by BenHutchings (subscriber, #37955) [Link] I suspect that the glibc stub resolver justs bind its socket to an unspecified port, which is fairly random after the system has been running for a while (whereas BIND typically starts shortly after the machine is booted). But an attacker can find out which source port you're using if you ever send a query to a DNS server they control. If I understand correctly, the source port needs to be randomised for each query (i.e. the resolver keeps re-binding to specified random ports).
Recursive servers, but not proxy servers, affected. Posted Jul 10, 2008 12:30 UTC (Thu) by nix (subscriber, #2304) [Link] Aha. It can't persist the socket but has to re-bind(). OK, glibc's not doing that. (Can you tell I've not done much UDP stuff? I love the Internet: I can let my ignorance and incompetence hang out for all to see!)
|
|||||||||||||