On 2006-03-14 16:36:13 -0500, John Peacock wrote: > Peter J. Holzer wrote: > >While investigating this (and before reading your mail) I found out two > >other facts which are rather bad: > > > >1) Net::DNS by default uses port 0, and Linux seems to assign ports > > sequentially. This makes it rather easy to guess port numbers. > > This would only be an issue if we were worried about someone injecting > false information into our queries, right?
Yes.
> I'm not going to lose any sleep over this for our application (especially
> since I am using a stateful firewall which makes this nigh impossible).
The sequential port numbering makes it easier to get through the
stateful firewall as well. However that is only true if the attacker can
see some query packets. If qpsmtpd queries a local nameserver
and the attacker is outside of the firewall, he won't ever see queries
from qpsmtpd, but only queries from the nameserver, so he can only
attack the nameserver (and at least some nameservers (e.g., bind) are
even easier to attack since they use a fixed source port).
> >2) Net::DNS assigns a random id when the package is loaded and just
> > increments the id for each request. This also makes ID guessing easy.
> > What's worse, with forkserver the package is loaded in the parent
> > process, so every child goes through the same sequence of IDs!
> > It doesn't matter in this case, since the ID isn't checked anyway,
> > but for synchroneous requests it makes a difference.
>
> This is more of a problem, since we are actively urging people to use
> forkserver. Can we use eval "use Net::DNS" after we fork to prevent
> this from happening? Can we poke a new ID value manually for each fork
> instance?
Yes. It's ugly but it works:
srand();
for (0 .. rand(65536)) {
Net::DNS::Header::nextid();
}
It would be better for Net::DNS to generate random IDs, though.
hp
--
_ | Peter J. Holzer | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR | geeignet sind, um sich was zu merken.
| | | [EMAIL PROTECTED] |
__/ | http://www.hjp.at/ | -- Holger Lembke in dan-am
pgp6MIhLQg7TS.pgp
Description: PGP signature
