[conspire] DNS vulnerability details
Ruben Safir
ruben at mrbrklyn.com
Fri Jul 25 17:59:34 PDT 2008
On Fri, Jul 25, 2008 at 05:43:10PM -0700, Ryan Russell wrote:
> Ruben Safir wrote:
> >Thanks Ryan. In the recursive resolution how would the two DNS servers
> >agree which port to tickle?
>
> Standard TCP/IP "connection" logic. The DNS server in the first step is
> now acting as a DNS Client in the second step. So it picks source port
> 48621 and sends a packet to second DNS server at port 53. Second DNS
> server remembers port 48621, does what it needs to, and sends the reply
> back that way.
>
> Attacker wanted to fool DNS server 1 with a packet that appeared to be
> coming from DNS Server 2. Not knowing the source port makes it that much
> harder for the attacker.
Very good. I understand.
Thanks
ruben
>
> Ryan
--
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software
So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998
http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
"Yeah - I write Free Software...so SUE ME"
"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."
"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one."
© Copyright for the Digital Millennium
More information about the conspire
mailing list