Subject: Re: DNS Cache Poisoning vulnerability (CVE-2008-1447, VU#800113)

Re: DNS Cache Poisoning vulnerability (CVE-2008-1447, VU#800113)

From: Josh Carroll <josh.carroll_at_gmail.com>
Date: Mon, 14 Jul 2008 15:02:57 -0400

> Right, but c-ares isn't setting the source port to anything AFAIK so it uses
> the random port provided by the OS. I believe the problems in some other
> implementations was because they explictily set the source port number.

Actually, that (was) the problem with BIND. It was setting a source
port and was reusing it. The randomization of the source port can be
accomplished for some sockets with various tunables (e.g. on FreeBSD,
sysctl net.inet.ip.portrange.randomized=1). However, BIND was not
subject to this for some reason.

c-ares isn't a DNS _server_ is it? If not, this vulnerability really
does not affect it at all. It's nameservers that respond to queries
with the same source port (or with a trivially predictable source
port) that is the problem, not the source port used for client
queries. :)

Josh
Received on 2008-07-14