Re: DNS Cache poisoning and pdnsd
Pierre Habouzit
> Hello,
>
> The Debian advisory does not mention the status of "pdnsd" w.r.t the
> DNS cache poisoning problem. A quick check seems to suggest that
> "pdnsd" also randomises the source port while sending out a query.
>
> Could the maintainer of "pdnsd" please confirm this? I do not want to
> file a pointless bug report if this is not a problem!
Quoting pndnsd.conf(5):
query_port_start=number;
If given, defines the start of the port range used for queries
of pdnsd. The value given must be >= 1024. The purpose of this
option is to aid certain firewall configurations that are based
on the source port. Please keep in mind that another application
may bind a port in that range, so a stateful firewall using tar‐
get port and/or process uid may be more effective. In case a
query start port is given pdnsd uses this port as the first port
of a specified port range (see query_port_end) used for queries.
pdnsd will try to randomly select a free port from this range as
^^^^^^^^
local port for the query.
To ensure that there are enough ports for pdnsd to use, the
range between query_port_start and query_port_end should be
adjusted to at least (par_queries * proc_limit). A higher value
is highly recommended, because other applications may also allo‐
cate ports in that range. If possible, this range should be kept
out of the space that other applications usually use.
query_port_end=number;
Only used if query_port_start is given. Defines the last port of
the range started by query_port_start used for querys by pdnsd.
The default is 65535, which is also the maximum legal value for
^^^^^^^^^^^^^^^^^^^^^
this option. For details see the description of
query_port_start.
And the code matches the documentation. And yes a new socket is used for each
request if that matters.
--
·O· Pierre Habouzit
··O madc...@debian.org
OOO http://www.madism.org
Kapil Hari Paranjape
The Debian advisory does not mention the status of "pdnsd" w.r.t the
DNS cache poisoning problem. A quick check seems to suggest that
"pdnsd" also randomises the source port while sending out a query.
Could the maintainer of "pdnsd" please confirm this? I do not want to
file a pointless bug report if this is not a problem!
Thanks and regards,
Kapil.
--
Florian Weimer
> And the code matches the documentation. And yes a new socket is used for each
> request if that matters.
But it seems to use a weak PRNG (random from libc).
--
To UNSUBSCRIBE, email to debian-secu...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Kapil Hari Paranjape
On Wed, 09 Jul 2008, Kapil Hari Paranjape wrote:
> The Debian advisory does not mention the status of "pdnsd" w.r.t the
> DNS cache poisoning problem. A quick check seems to suggest that
> "pdnsd" also randomises the source port while sending out a query.
According to the following URL Dan Kaminsky's cat's whiskers may already
be out of the bag[*] and source port randomisation may not be enough.
http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
Regards,
Kapil.
[*] Sorry for the sub-metaphor --- I liked it so I added it.
--
Florian Weimer
> According to the following URL Dan Kaminsky's cat's whiskers may already
> be out of the bag[*] and source port randomisation may not be enough.
Most announcements indicated that source port randomization is only a
band-aid, hopefully deployable in the short, and not a long-term
solution.
As far as I can tell, of the four major approaches, three have been
published so far.