[BUGS] BIND update?

Edwin Groothuis edwin at mavetju.org
Sat Jul 12 14:43:22 EST 2008 

(Forwarded to bugs at bugs.au.freebsd.org for general information)

On Fri, Jul 11, 2008 at 08:55:00PM +1000, jonathan michaels wrote:
> On Thu, Jul 10, 2008 at 10:17:15PM +1000, Edwin Groothuis wrote:
> > On Thu, Jul 10, 2008 at 12:29:55PM +0200, Oliver Brandmueller wrote:
> > > Hi,
> > > 
> > > On Thu, Jul 10, 2008 at 03:17:26AM -0700, Xin LI wrote:
> > > > Speaking as my own: Base system needs more conservative QA process, 
> 
> trimed ... reasons
>
> between drs, hospital and banking stuff i've had a 'full week' and not
> been able to follow this whole bind business.
> 
> is this issue a serious one ?? please ??

>From what I've read and understand from the snippets of information
which have been given (which can be a wrong interpretation so feel
free to correct me):

- A DNS query has a 16 bit identifier in the DNS header.
  If I can force your nameserver to query a specific domain, I need
  to send 2**16 = 65K spoofed replies to your nameserver to make
  it accept my spoofed answer.

- It is possible with some nameservers to predict the range the
  identifier is in if you know the identifier from two current
  requests (Birthday attack, See wikipedia)

Add these two together and you suddenly don't have 65K packets to
be send but somewhere around 300.

So how to overcome this issue? Making it more difficult to predict
(something) in the DNS request. The only thing they could find what
changable in such a thing was something in the UDP header: Instead
of using a static source port for all outgoing requests they changed
it so that it would use a different one (as good as unpredicatable
as possible of course) for each request.

So each request from a all-new-and-shiny-DNS server now has not 16
bit identifiers alone, but 16 bits in the DNS header and 16 bits
in the UDP header, making it 32 bits (minus a little bit for ports
which can be used because they are already used etc)

Of course we will know what is going on the sixth of august, but
in the mean time: http://www.youtube.com/watch?v=XDKw8ny6IcM.

Edwin
-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin at mavetju.org    |              Weblog: http://www.mavetju.org/weblog/

More information about the BUGS mailing list