[conspire] DNS vulnerability details

Ruben Safir ruben at mrbrklyn.com
Fri Jul 25 17:59:34 PDT 2008

On Fri, Jul 25, 2008 at 05:43:10PM -0700, Ryan Russell wrote:
> Ruben Safir wrote:
> >Thanks Ryan.  In the recursive resolution how would the two DNS servers
> >agree which port to tickle?
> Standard TCP/IP "connection" logic. The DNS server in the first step is 
> now acting as a DNS Client in the second step. So it picks source port 
> 48621 and sends a packet to second DNS server at port 53. Second DNS 
> server remembers port 48621, does what it needs to, and sends the reply 
> back that way.
> Attacker wanted to fool DNS server 1 with a packet that appeared to be 
> coming from DNS Server 2. Not knowing the source port makes it that much 
> harder for the attacker.

Very good.  I understand.



> 					Ryan

http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium

More information about the conspire mailing list