|
|
BugTraq
Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 24 2007 05:40PM securityfocus networkontap com (2 replies) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 24 2007 08:18PM Jamie Riden (jamie riden gmail com) (2 replies) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 27 2007 04:40AM Gadi Evron (ge linuxbox org) (2 replies) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 27 2007 07:19PM Amit Klein (aksecurity gmail com) (1 replies) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 27 2007 06:54PM Tim Newsham (newsham lava net) (1 replies) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 27 2007 04:37PM Tim (tim-security sentinelchicken org) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 26 2007 10:50PM Theo de Raadt (deraadt cvs openbsd org) Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) Jul 24 2007 08:07PM Amit Klein (aksecurity gmail com) |
|
Privacy Statement |
>> "it's not like this hasn't been reported, and fixed, many times by
>> many others" - so if it's fixed so many times, how come it was still
>> vulnerable, and ISC had to issue their patches?
>
> Because its just a 16-bit field. DNS is broken. Cache poisoning will
> happen. Those are the facts on the ground. The only argument left
> is the degree of brokenness.
Perhaps. Even so, adding, as you (and many others) suggested previously,
UDP source port (strong) randomization, in combination with strong
transaction ID randomization would make poisoning way way harder than
where it is today. Instead of 16 bits, you'd have ~30 bits of (strong)
randomness. That's much better, and there's no reason I see why it can't
be implemented today.
[ reply ]