[dns-operations] Why non-repeating transaction IDs?
bert hubert
bert.hubert at netherlabs.nl
Fri Aug 3 09:25:00 UTC 2007
On Fri, Aug 03, 2007 at 09:49:55AM +0100, Simon Waters wrote:
> This is DJB's sort of territory.
>
> Of course the basic problem with DNS is the space is rather small, so spoofing
> is theoretically possible even if you do use a "good" method of generating
> transaction IDs.
It is not just theoretically possible, it is easy in practice.
So you randomize source ports too, adding nearly 16 bits to the 16 bits of
random already available. 31.97 bits of random is nothing to sneeze at if you
have a 100ms timeframe to scan it.
See http://wiki.powerdns.com/cgi-bin/resilience.fcgi/wiki and
http://ds9a.nl/tmp/draft-ietf-dnsext-forgery-resilience.html
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations
mailing list