[fw-wiz] Re: DNS security (Was: re: terminal services)

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 01/31/03

• Next message: Reckhard, Tobias: "[fw-wiz] RE: DNS security (Was: re: terminal services)"
• Previous message: Mikael Olsson: "Re: [fw-wiz] VMware (or else) in different areas/dmz"
• In reply to: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Mikael Olsson <mikael.olsson@clavister.com>
To: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
Date: Fri Jan 31 08:00:48 2003

"Reckhard, Tobias" wrote:
>
> On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:
> > Let's not forget that nailing DNS source ports to 53 reduces somewhat
> > (though by a trivial ammount) resistance to blind spoofing attacks.
>
> Does that actually increase resistance against spoofing attacks?

Yes.

> The DNS ID can be used for much better protection against spoofing attacks.
> dnscache uses a cryptographic generator for it.

dnscache also uses a new random port number each time.

There's no cryptographic difference between randomizing the source
port and the ID. They're both 16-bit numbers.

There is however a world of a difference between randomizing just
one, and randomizing both. All of a sudden, you go from
"gotta hit 1 out of 65536 to get me", to
"gotta hit 1 out of 4294967296 to get me".

> > For non-recursive resolvers, it may be a slight issue, since
> > fewer packets
> > gives a good chance to win a race.
>
> I'm sorry, I don't understand what you mean.

It's easier to beat the odds if the resolver has multiple
queries outstanding. And the odds don't just increase
linearly.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

• Next message: Reckhard, Tobias: "[fw-wiz] RE: DNS security (Was: re: terminal services)"
• Previous message: Mikael Olsson: "Re: [fw-wiz] VMware (or else) in different areas/dmz"
• In reply to: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: voltage to resistance convertor? ... If a voltage is applied across Ro, ... The connection, if any, between the Vx port and Ro port, is ... > than synthesizing a resistance. ... This is the circuit that needs the variable resistance. ... (sci.electronics.basics) Re: very low cost ethernet hub with monitor port? ... receive port, it should be possible to connect it to a pair ... But what if the isoXfo is low resistance? ... terminating resistor exist? ... ohms for megahertz range frequencies, ... (comp.dcom.lans.ethernet) Re: PC based measurements ... > Do I need to have a ADC circuit to do it? ... Try and google for the "parallel port faq" for how to interface circuits ... as it can measure resistance directly. ... (sci.electronics.basics) Re: PC based measurements ... >> I would like to use the parallel or serial port to do it. ... as it can measure resistance directly. ... I have just purchased PureBasic which works in windows, ... and this connects to the Parallel Port via "io.dll" easily. ... (sci.electronics.basics) Re: PC based measurements ... on Sunday 11 July 2004 10:14 pm, Dr Engelbert Buxbaum wrote: ... >> I am trying to use my PC to measure resistance, capacitance and ... >> I would like to use the parallel or serial port to do it. ... as it can measure resistance directly. ... (sci.electronics.basics)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint