[dns-operations] Why non-repeating transaction IDs?

bert hubert bert.hubert at netherlabs.nl
Fri Aug 3 09:25:00 UTC 2007

On Fri, Aug 03, 2007 at 09:49:55AM +0100, Simon Waters wrote:
> This is DJB's sort of territory.
> Of course the basic problem with DNS is the space is rather small, so spoofing 
> is theoretically possible even if you do use a "good" method of generating 
> transaction IDs.

It is not just theoretically possible, it is easy in practice.

So you randomize source ports too, adding nearly 16 bits to the 16 bits of
random already available. 31.97 bits of random is nothing to sneeze at if you
have a 100ms timeframe to scan it.

See http://wiki.powerdns.com/cgi-bin/resilience.fcgi/wiki and

http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list