Folks, I'm missing something with the concept of doing randomization for DNS messages by ASA.
This is what we know from the official Cisco paper: http://www.cisco.com/web/about/security/intelligence/dns-bcp.html Randomization for DNS Transaction Identifier DNS uses transaction IDs (TXID) for tracking queries and responses to queries. The DNS transaction ID is a 16-bit field in the Header section of a DNS message. DNS implementations use the transaction ID along with the source port value to synchronize the responses to previously sent query messages. Flaws have been discovered in DNS where the implementations do not provide sufficient entropy in the randomization of DNS transaction IDs when issuing queries and so on and so forth.... Now, we have ASA to enable some advanced DNS inspection, namely dns-guard Enable dns-guard to verify that DNS query and response transaction IDs match and only one DNS response is allowed through the firewall for each query. id-randomization Enable id-randomization to generate unpredictable DNS transaction IDs in DNS messages and protect DNS servers and resolvers with poor randomization of DNS transaction IDs. How does it all tie together? If I'm a host sitting behind the ASA and for some reason my randomization algorithm is so poor and I'm sending a DNS query to the upstream DNS resolver and ASA rewrites this query by inserting a random ID how am I supposed to trust/validate the response for my query? Does the ASA revert it back when the replies comes from the resolver ? Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
