[fw-wiz] RE: DNS security (Was: re: terminal services)

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 01/31/03 

From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: Mikael Olsson <mikael.olsson@clavister.com>, "Reckhard, Tobias" <tobias.reckhard@secunet.com>
Date: Fri Jan 31 08:01:04 2003

Mikael Olsson wrote:
> "Reckhard, Tobias" wrote:
> >
> > On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:
> > > Let's not forget that nailing DNS source ports to 53
> reduces somewhat
> > > (though by a trivial ammount) resistance to blind
> spoofing attacks.
> >
> > Does that actually increase resistance against spoofing attacks?
>
> Yes.

No. As you say yourself. See below.

[snip]

> dnscache also uses a new random port number each time.

[snip]

> There is however a world of a difference between randomizing just
> one, and randomizing both. All of a sudden, you go from
> "gotta hit 1 out of 65536 to get me", to
> "gotta hit 1 out of 4294967296 to get me".

Right. So it's 64K times as difficult to spoof a DNS client that randomizes
its source port as opposed to one that uses a fixed source port. That means
that, using Paul's words in part, nailing DNS source ports to 53 not
reduces, but instead increases somewhat resistance to blind spoofing
attacks. That's my point, it's counter-productive to use a fixed source port
in DNS requests, even worse to choose 53.

> > > For non-recursive resolvers, it may be a slight issue, since
> > > fewer packets
> > > gives a good chance to win a race.
> >
> > I'm sorry, I don't understand what you mean.
>
> It's easier to beat the odds if the resolver has multiple
> queries outstanding. And the odds don't just increase
> linearly.

Ah, OK, I get it now. Thanks for the explanation, Mikael.

Cheers,
Tobias