[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS Cache poisoning and pdnsd

On Wed, Jul 09, 2008 at 09:44:21AM +0000, Kapil Hari Paranjape wrote:
> Hello,
> The Debian advisory does not mention the status of "pdnsd" w.r.t the
> DNS cache poisoning problem. A quick check seems to suggest that
> "pdnsd" also randomises the source port while sending out a query.
> Could the maintainer of "pdnsd" please confirm this? I do not want to
> file a pointless bug report if this is not a problem!

Quoting pndnsd.conf(5):

              If  given,  defines the start of the port range used for queries
              of pdnsd. The value given must be >= 1024. The purpose  of  this
              option  is to aid certain firewall configurations that are based
              on the source port. Please keep in mind that another application
              may bind a port in that range, so a stateful firewall using tar‐
              get port and/or process uid may be more  effective.  In  case  a
              query start port is given pdnsd uses this port as the first port
              of a specified port range (see query_port_end) used for queries.
              pdnsd will try to randomly select a free port from this range as
              local port for the query.
              To ensure that there are enough ports  for  pdnsd  to  use,  the
              range  between  query_port_start  and  query_port_end  should be
              adjusted to at least (par_queries * proc_limit).  A higher value
              is highly recommended, because other applications may also allo‐
              cate ports in that range. If possible, this range should be kept
              out of the space that other applications usually use.

              Only used if query_port_start is given. Defines the last port of
              the range started by query_port_start used for querys by  pdnsd.
              The  default is 65535, which is also the maximum legal value for
              this   option.    For   details   see   the    description    of

And the code matches the documentation. And yes a new socket is used for each
request if that matters.

·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgp4Rb8f21A8e.pgp
Description: PGP signature

Reply to: