Hosting Provided By

Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

From: Amit Klein <aksecurity(at)gmail.com>
Date: Fri Jul 27 2007 - 18:34:13 EDT

Tim Newsham wrote:
>> "it's not like this hasn't been reported, and fixed, many times by
>> many others" - so if it's fixed so many times, how come it was still
>> vulnerable, and ISC had to issue their patches?
>
> Because its just a 16-bit field. DNS is broken. Cache poisoning will
> happen. Those are the facts on the ground. The only argument left
> is the degree of brokenness.

Perhaps. Even so, adding, as you (and many others) suggested previously, UDP source port (strong) randomization, in combination with strong transaction ID randomization would make poisoning way way harder than where it is today. Instead of 16 bits, you'd have ~30 bits of (strong) randomness. That's much better, and there's no reason I see why it can't be implemented today. Received on Fri Jul 27 18:03:03 2007

This message: [ Message body ]
Next message: Joep Vesseur: "Re: Solaris finger bug"
Previous message: Tim Newsham: "Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)"
In reply to: Tim Newsham: "Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:10:20 EDT