On Oct 26, 2020, at 1:30 PM, Toerless Eckert <t...@cs.fau.de> wrote:
>> If you???re going to do that, you might as well just turn off mDNS entirely.
> 
> How is this worse than NOT doing this heuristic ? 

It’s likely exactly the same. My expectation would be that the port in the SRV 
record is literally never the port number in the services table, with a few 
exceptions like ssh, which has a trust establishment framework and can’t be 
easily attacked using your proposed attack.

The sense in which it might be worse, though, is that it might fail sometimes, 
but not always. This makes it harder to figure out why it’s not working. You 
might not even realize that the problem is mDNS.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to