On Monday, 31. December 2001 14:20, Thomas Seyrat wrote: > By forcing the source port for recursive requests to a given fixed > one, do you not make yourself more vulnerable to the spoofing attacks > you were talking about, because the attacker does not have to predict > the source port of the query ?
Please think about the follwing to lines bind sent to my syslog: Dec 20 13:02:07 host named[571]: reloading nameserver Dec 20 13:02:07 host named[571]: Forwarding source address is [0.0.0.0].1141 Dec 20 13:02:07 host named[571]: Ready to answer queries. So I'm guessing bind always uses a fixed source port which is determined when starting the name-server. The attacker has to know the source port for any attack, but when you are offering recursive queries to the internet, the attacker only has to be providing name-services for a domain to get your source-port: He asks your nameserver to resolve his domain and log the incoming packets from your server to his nameserver (or some nameserver he cracked). If you are only providing recursive lookups for your network it would be harder to get your source-port. Peter
