On the unpredictability of DNS

Ben Laurie ben at links.org
Sun Aug 3 07:44:04 EDT 2008

William Allen Simpson wrote:
> I've changed the subject.  Some of my own rants are about mathematical
> cryptographers that are looking for the "perfect" solution, instead of
> practical security solution.  Always think about the threat first!
> In this threat environment, the attacker is unlikely to have perfect
> knowledge of the sequence.  Shared resolvers are the most critical
> vulnerability, but the attacker isn't necessarily in the packet path, and
> cannot discern more than a few scattered numbers in the sequence.  The
> more sharing (and greater impact), the more sparse the information.
> In any case, the only "perfect" solution is DNS-security.  Over many
> years, I've given *many* lectures to local university, network, and
> commercial institutions about the need to upgrade and secure our zones.
> But the standards kept changing, and the roots and TLDs were not secured.
> Now, the lack of collective attention to known security problems has
> bitten us collectively.
> Never-the-less, with rephrasing, Ben has some good points....

I don't see any actual rephrasing below, unless you are suggesting I 
should have said "unpredictable" instead of "random". I think that's a 
perfectly fine substitution to make.

> Ben Laurie wrote:
>> But just how GREAT is that, really? Well, we don't know. Why? Because 
>> there isn't actually a way test for randomness. ...
> While randomness is sufficient for "perfect" unpredictability, it isn't
> necessary in this threat environment.

I agree, but my point is unaltered if you switch "randomness" to 

> Keep in mind that the likely unpredictability is about 2**24.  In many
> or most cases, that will be implementation limited to 2**18 or less.


>> Your DNS resolver could be using some easily predicted random number 
>> generator like, say, a linear congruential one, as is common in the 
>> rand() library function, but DNS-OARC would still say it was GREAT.
> In this threat environment, a better test would be for determination of a
> possible seed for any of several common PRNG.  Or lack of PRNG.

I don't see why. A perfectly reasonable threat is that the attacker 
reverse engineers the PRNG (or just checks out the source). It doesn't 
need to be common to be predictable.

>> Oh, and I should say that number of ports and standard deviation are 
>> not a GREAT way to test for "randomness". For example, the sequence 
>> 1000, 2000, ..., 27000 has 27 ports and a standard deviation of over 
>> 7500, which looks pretty GREAT to me. But not very "random".
> Again, the question is not randomness, but unpredictability.

Again, changing the words does not alter my point in any way, though I 
do agree that unpredictable is a better word.



http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list