ubuntu-devel Digest, Vol 23, Issue 16
Daniel Pittman
daniel at rimspace.net
Wed Jul 5 03:05:22 BST 2006
"Dan Kegel" <dank at kegel.com> writes:
> On 7/4/06, Scott James Remnant <scott at ubuntu.com> wrote:
>> > strace seems to show that by default, the DNS port is only open
>> > until the response is received. So it looks like there's only one
>> > open UDP port, not two.
>>
>> No, it's still an open port. UDP lacks any form of checking that things
>> received are the expected responses, and while the port is open for the
>> response anything can be sent to it (this is safe-guarded with TCP,
>> which is why TCP connections aren't considered "open ports").
>
> Good point. (The window during which the port is open is pretty short,
> which lessens the chance of an attack succeeding, but doesn't make it zero.)
> I wonder how practical it would be to get glibc to use tcp for
> DNS requests...
That would make you extremely unpopular in a wide range of ISP
environments, as you just radically increased the load on their DNS
servers. The rest of the Internet infrastructure might well want a work
also...
Not to mention the much lower performance for DNS lookups from your new
TCP-only client, especially on loaded links, and the much higher
probability of triggering bugs by using a much less tested code path in
the various DNS serves out there.
[...]
> There remains the dhcp open port. I'm still curious why that needs to
> be there while the client is in bound state.
Because DHCP requires address renewal, which requires communication with
the DHCP server. The client, at least in sane cases, drops away from
root (which can open raw sockets) to mitigate security risks.
So, you either run your DHCP client as root full time, or you keep the
socket open.
Regards,
Daniel
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact at digital-infrastructure.com.au
http://digital-infrastructure.com.au/
More information about the ubuntu-devel
mailing list