bert hubert finally blogs

In violation of my own draft-draft RFC!

Posted by bert hubert Fri, 12 May 2006 22:08:00 GMT

Talk about embarrassing. You may know I’m busy working on a draft-draft RFC (it becomes an ‘Internet-Draft’ once submitted) about making DNS safer through some implementation and operational guidelines (see dns-anti-spoofing.html and dns-anti-spoofing.txt).

While writing this document, I decided to add a section on the ‘birthday paradox attack’. Reported in 2002, this is a curious mathematical phenomenon that makes spoofing a nameserver vastly easier to do.

So I wrote down the specification:

 Given the above, a recursor MUST:

* Use a new random source port from its available 
  range for each outgoing query
* Make full use of all 16 bits of the ID field
* Assure that its choices of port and ID cannot 
  be predicted by an attacker having knowledge of
  its (pseudo-)random generator
* Take measures to prevent having multiple equivalent
  questions outstanding to any authoritative server

Which is all fine. Except that PowerDNS did not adhere to the bit about equivalent outstanding questions! PowerDNS contains a general system that prevents heaps of identical queries from leaving the server, but that doesn’t translate well into ‘standardese’, you’d get something like ‘recursors MUST have a system that sort of prevents most of the identical queries’.

So, I added ‘query-chaining’ to PowerDNS, which detects this situation and puts an MThread to sleep when it tries to send out a duplicate question. When the answer to the initial question arrives, they all get woken up.

Due to the throttling code already in place, and the source port randomisation, this does not improve our security significantly, but at least I’m now in compliance of my own draft-draft RFC :-)

Code is linked here.