[dns-operations] AT&T DNS Cache Poisoning?

[David Conrad]

Bert,

On Oct 27, 2012, at 10:55 PM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> Thus continuing the trend that all purported cache poisonings observed have been registry hacks.

Looks that way, although it looks like this wasn't really a registry hack but rather what happens when a domain name expires these days. With that said, I still believe the most critical vulnerability in the DNS is in the security of the registrars.

> It appears that source port randomization works. 

Was there ever any doubt?  The question wasn't (isn't?) whether source port randomization would work, it was how long it would work.  Source port randomization simply protects the communication channel, not the data -- it kicks the can down the road (yet again). DNSSEC protects the data making the communication channel irrelevant. IMHO, it is a better long-term solution (folks who know my opinion on DNSSEC may now require smelling salts).

> Probably the only vulnerable servers are those behind NAT that derandomizes
> the source port. But important servers are unlikely to suffer from network
> address translation.

Heh.  Let me introduce you to CGN... :-)

Regards,
-drc