[dns-operations] Bailiwick stats? Idea for mitigation...

Brian Dickson briand at ca.afilias.info
Sun Aug 10 18:40:49 UTC 2008

Paul Vixie wrote:
>> So, what we were thinking of is doing the following: When a cached  entry
>> is about to be overwritten with something different, do an  additional
>> request. The material in that additional request has to be  equal to that
>> 'something different' before the cached entry is  overwritten.
>> Roy
> far end load balancers (including those made by cisco) won't always answer
> equally.  if you repeat a query N times, then in the end you'll have to 
> either pick the last one or a random one.

Here's an observation... very likely load balancers will hash on some 
subset tuple of (src IP, dst IP, src port, dst port).

The birthday attack presumes that *some* tuple will match (the same 4 + 
TXID) exactly.
But, it doesn't know *which* one.

If the same query is sent twice, using the *same* port, and different 
TXID, in short order, it will more than likely be hashed the same way 
and be sent to the same physical server.

And that *should* get the same answer, modulo changes to the zone that 
occur in the (very short) interval.

This adds 16 bits of entropy. If the resolver is already patched, you 
get about 48 bits of entropy - pretty close to the 50 that Paul says we 

So, in the case of different answers, redo the last one on the same 
port; the last two answers should be the same.
Or even blast out a new pair of queries, deliberately closely spaced in 
time, differing only in TXID.

Since the attacker is only guessing on TXIDs, or on ports, but usually 
not both, the chances of guessing two in succession are very low.


More information about the dns-operations mailing list