"Randomize all source ports"

Admitted, I haven't spent a huge amount of time doing DNS stuff, but I
believe that I know a bit about it.

In his slides about hardening the .dk infrastructure to Kaminsky-style
attacks, Ram Mohan had the following as a bullet point: "Randomize all source
ports for DNS responses".

While I don't disagree, that source port randomization for queries
makes a lot of sense, how in the world would it do anything for responses?

Firstly, it wouldn't work, since the recursive resolver expects the response
to come from the server/port it requested it from, and that means port 53.
Secondly, it would break almost all stateful firewalls, since they have the
same expectations.

Thirdly, if we just for a moment allowed for the responses to come with a
randomized source port, I don't believe it would buy any additional protection,
since the receiving resolver does not know from where to expect the reply, and
thus it has no basis for recognizing good packets from bad.

Somebody, please educate me, I can't see the point!

Add new comment