ubuntu-devel Digest, Vol 23, Issue 16
Dan Kegel
dank at kegel.com
Wed Jul 5 01:10:12 BST 2006
On 7/4/06, Scott James Remnant <scott at ubuntu.com> wrote:
> > strace seems to show that by default, the DNS port is only open
> > until the response is received. So it looks like there's only one
> > open UDP port, not two.
>
> No, it's still an open port. UDP lacks any form of checking that things
> received are the expected responses, and while the port is open for the
> response anything can be sent to it (this is safe-guarded with TCP,
> which is why TCP connections aren't considered "open ports").
Good point. (The window during which the port is open is pretty short,
which lessens the chance of an attack succeeding, but doesn't make it zero.)
I wonder how practical it would be to get glibc to use tcp for
DNS requests... a friend of mine is about to open a can of whoop-ass
on nscd, maybe I'll ask him to look into that. (Not that ubuntu uses nscd
by default, but nevermind that...)
There remains the dhcp open port. I'm still curious why that needs to be there
while the client is in bound state. (Even if we get rid of that, there will
still be a window during system startup when it's vulnerable to attack,
but that's by design; dhcp is inherently promiscuous. I have to hope that
networks managed by DHCP also filter out bogus DHCP packets from outside.)
- Dan
More information about the ubuntu-devel
mailing list