New ZeroConf Spec

Scott James Remnant scott at ubuntu.com
Mon Jul 10 09:58:58 BST 2006


On Sun, 2006-07-09 at 13:39 -0500, Carl Karsten wrote:

> Scott James Remnant wrote:
> > On Mon, 2006-07-03 at 20:48 -0700, Dan Kegel wrote:
> > 
> >> There should be no exception: there should be no open ports by default.
> >>
> > This isn't actually entirely true; we currently have two open ports by
> > default:
> > 
> > If you're on a network with DHCP, the DHCP client listens on UDP port 68
> > to receive responses from the DHCP server.
> > 
> > And every time you make a DNS query, a UDP port is opened to receive the
> > response from the DNS server.
> 
> I think you are missing the meaning or intent of "no open ports" - when a client 
> makes a request of a server, it waits for the response on a port.  That includes 
> a web browser, dns, e-mail client, apt-get, IRC and anything else that talks to 
> another box.
> 
These all talk TCP, which has reasonably strong prevention against
attack from an alternate source which comes for free in the kernel.

DNS uses UDP which does NOT have this prevention, while the daemon is
waiting for a reply, it can receive packets from ANYWHERE.

Scott
-- 
Scott James Remnant
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060710/87154dc8/attachment.pgp


More information about the ubuntu-devel mailing list