Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4874A9E5.6040601@gentoo.org>
Date: Wed, 09 Jul 2008 14:07:01 +0200
From: Matthias Geerdsen <vorlon@...too.org>
To: oss-security@...ts.openwall.com
Subject: DNS vulnerability: other relevant software

Hi,

looking at some of the DNS related software in our tree, I thought it 
might be nice to keep track of any findings of affected and unaffected 
packages...
So here is a start:

- posadis [1]:
	has not seen an update since dec 2004; I could not find 	any info on 
port randomization etc., but considering the age it might probably have 
other issues too.

- dnsmasq [2]:
	no port randomization [3]

- pdnsd [4]:
	no info yet

- MaraDNS [5]:
	"MaraDNS uses a strong secure RNG for both the query (16 bits of 
entropy) and the source port of the query (12 bits of entropy). This 
makes spoofing replies to a MaraDNS server more difficult, since the 
attacker has only a one in 250 million chance that a given spoofed reply 
will be considered valid." [6]

- MyDNS [7]:
	"MyDNS does not include recursive name service, nor a resolver library."
	also this thread [8]

- DNRD [9]: "Uses random source port and random query ID's to prevent 
cache poisoning."

Matthias



[1] <http://posadis.sourceforge.net/>
[2] <http://www.thekelleys.org.uk/dnsmasq/doc>
[3] 
<http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002147.html>
[4] <http://www.phys.uu.nl/~rombouts/pdnsd/>
[5] <http://www.maradns.org/>
[6] <http://www.maradns.org/tutorial/man.maradns.html>
[7] <http://mydns.bboy.net/>
[8] 
<http://sourceforge.net/mailarchive/forum.php?thread_name=714ef0060807081802h4e52a70ak4f52e06c11e2abfe%40mail.gmail.com&forum_name=mydns-users>
[9] <http://dnrd.sourceforge.net/>


-- 
Matthias Geerdsen (vorlon)

Gentoo Linux Security Team
http://security.gentoo.org


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.