[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Lutz Donnerhacke lutz at iks-jena.de
Fri Jul 11 07:28:16 UTC 2008

* bert hubert wrote:
> Right now, DNS as it is really only needs (say) an additional 16 bits of
> entropy beyond what source port randomisation can provide. DNS over TCP
> offers that today, btw.

Those 16bit shift the attack time from seconds to hours. For poisoning a
central resolver of a large broadband access provider, this does not matter.

More information about the dns-operations mailing list