On Thu, Oct 14, 2010 at 11:57 AM, Mike Belopuhov <m...@crypt.org.ru> wrote: > this dns code has a serious flaw. you use arc4random to allocate request > IDs. this is a bad decision, as you actually want a non-repeating property.
Why? Each query transmission uses a newly allocated socket with a unique (random) source port address. The same txid might be used by multiple concurrent queries, but forgeries have to match both the txid and the source port so there's no risk of colliding attacks. I actually think aq_reqid should be randomized with *each* transmission, however, not just when the asr_query struct is initialized. Also, that code doesn't seem to check the source IP address of the response DNS packet. An easy fix (e.g., what djbdns does) is use connect(2) on the UDP socket so the kernel discards packets from bad source IPs/ports, and then just use send(2) and recv(2).
