Peter J. Holzer wrote:
While investigating this (and before reading your mail) I found out two
other facts which are rather bad:
1) Net::DNS by default uses port 0, and Linux seems to assign ports
sequentially. This makes it rather easy to guess port numbers.
This would only be an issue if we were worried about someone injecting
false information into our queries, right? I'm not going to lose any
sleep over this for our application (especially since I am using a
stateful firewall which makes this nigh impossible).
2) Net::DNS assigns a random id when the package is loaded and just
increments the id for each request. This also makes ID guessing easy.
What's worse, with forkserver the package is loaded in the parent
process, so every child goes through the same sequence of IDs!
It doesn't matter in this case, since the ID isn't checked anyway,
but for synchroneous requests it makes a difference.
This is more of a problem, since we are actively urging people to use
forkserver. Can we use eval "use Net::DNS" after we fork to prevent
this from happening? Can we poke a new ID value manually for each fork
instance?
John
