[conspire] DNS vulnerability details

Ryan Russell ryan at thievco.com
Fri Jul 25 17:43:10 PDT 2008

Ruben Safir wrote:
> Thanks Ryan.  In the recursive resolution how would the two DNS servers
> agree which port to tickle?

Standard TCP/IP "connection" logic. The DNS server in the first step is 
now acting as a DNS Client in the second step. So it picks source port 
48621 and sends a packet to second DNS server at port 53. Second DNS 
server remembers port 48621, does what it needs to, and sends the reply 
back that way.

Attacker wanted to fool DNS server 1 with a packet that appeared to be 
coming from DNS Server 2. Not knowing the source port makes it that much 
harder for the attacker.


More information about the conspire mailing list