DNSSEC regarding

3

I'm asking this question as software (and also because there have been a few DNSSEC questions on here in the past).

http://en.Wikipedia.org/wiki/DNS_cache_poisoning#Prevention_and_mitigation

I saw this on Wikipedia and wondered if someone could explain it for me:

"As stated above, source port randomization for DNS requests, combined with the use of cryptographically-secure random numbers for selecting both the source port and the 16-bit cryptographic nonce, can greatly reduce the probability of successful DNS race attacks"

I don't understand how port randomization would prevent DNS poisoning attacks on the client side? Or is this only referring to the DNS server? Could the same port randomization be used on the client side?

Lee Trevor

Posted 2012-01-19T23:19:19.607

Reputation: 31

It's sad to observe that the text referred to by that "as stated above" was last visible in the April 2009 revision of the article, making the article nonsensical for almost three years now. This is the sort of bad editing that makes Wikipedia articles incomprehensible.

– JdeBP – 2012-01-20T00:34:28.183

Answers

1

DNS requests are always from a client to the server, so the source port is at the client end, and is the one that needs to be randomised.

The reply from the server comes from port 53 to the original source port on the client end. As you have probably surmised from your reading, if the next source port the client uses can be predicted, then a reply could be spoofed ahead of the real reply.

Note that a DNS server is itself a client when it is not the authority for a requested domain and has recursion enabled. So you ask your DNS server for the ip address of Google.com then that DNS server goes off and queries the root servers to work out the answer. This is where it is vital that the replies are for real, as the requesting DNS server will cache any responses, and provide them as answers to any subsequent requests.

If I could predict the source port that your ISPs DNS server would use for its next query, I could inject my own answer to the request ahead of the real reply, then your ISP DNS would be poisoned for everyone that uses it.

(note that this scenario is greatly simplified for the sake of (hopeful) clarity)

Paul

Posted 2012-01-19T23:19:19.607

Reputation: 52 173

Hi Paul, would any of this technique (port randomizing) be done at the client end, asin the person who actually made the web request? Or is the end-user having DNS-SEC on their operating system the only protection they have? – Lee Trevor – 2012-01-20T00:04:26.147

You could do port randomisation on the end-user machine, I am not sure if they do though. Most users would be behind a NAT firewall that would rewrite the source port in any case (either randomly or not). A DNS server is a much more attractive target as it affects more than one person. – Paul – 2012-01-20T00:10:20.270

Asked: 2012-01-19T23:19:19.607

Viewed: 67 times

Active: 2012-01-19T23:55:03.353