Thank you for the information Simon! So far I've applied the patch mentioned by the saddns.net website to our Linux kernel: "Yes, we have worked with the Linux kernel security team and developed a patch that randomizes the ICMP global rate limit to introduce noises to the side channel."
I'm hoping that will be enough but if I experiment with changing the TIMEOUT parameter that you mentioned I will let you know what the results are. -----Original Message----- From: Dnsmasq-discuss <dnsmasq-discuss-boun...@thekelleys.org.uk> On Behalf Of Simon Kelley Sent: Thursday, December 10, 2020 4:54 PM To: dnsmasq-disc...@thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Sad DNS vulnerability On 08/12/2020 00:51, WU, CHRIS wrote: > Another easy fix is to set the timeout of DNS queries more aggressively. > For example, you should set it so that's less than a second. This way > the source port will be short-lived and disappear before the attacker > can start injecting rogue responses. The downside, however, is the > possibility of introducing more retransmitted queries and overall > worse performance. > > I've not experimented with this, but you could try reducing the value of the TIMEOUT parameter in /src/config.h and recompiling to achieve this. It's likely to make stuff more fragile. The only real fix for all of these problems is DNSSEC, but that requires much more if the DNS to actually be signed. Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
