[dns-operations] summary of recent vulnerabilities in DNS security.
jim at rfc1035.com
Mon Oct 21 16:20:54 UTC 2013
On 21 Oct 2013, at 16:54, Keith Mitchell <keith at smoti.org> wrote:
> Applying the same 5-years' now-outside hindsight to this, the benefits
> of all that port randomization work seem murky at best -
There was/is a vulnerability and it's been (sort of) plugged. Surely that's a Good Thing? Even if it just means the bar has been raised for an attacker. And only for those who have installed new-ish DNS code.
> The Herzberg/Shulman attacks seem even harder to exploit in
> a real (as opposed to la) environment
Maybe. OTOH knowing about this weakness and doing little to counteract it -- save for the universal deployment of DNSSEC -- seems irresponsible to me. YMMV.
That said, there are other vulnerabilities that are probably more significant than cache poisoning attacks: eg the probably intractable reflector/amplification problems.
More information about the dns-operations