techblog 

A lot has been said in the last few weeks about the need to randomise the source port used to issue DNS queries to mitigate the risk of cache poisoning attacks.

The need to randomise the 16-bit Query IDs was recognised long ago, and is implemented widely.  However investigation of the DNS traffic hitting Nominet’s .uk name servers shows that even now Query ID randomisation is not 100% correctly implemented!

A snapshot was taken of all incoming traffic to one of the .uk authoritative name servers for a 10 minute window around 12:00 BST (11:00 GMT) for each of the last six days, and then filtered to exclude any client that issued less than 500 queries in total across those sampling periods.

The results below showed 16 clients were found to be only using Query IDs in the range 0 - 16383 (i.e. 14 bits) and another two only using the range 0 - 32767 (15 bits).

Servers using the full 16 bits for Query ID have a typical standard deviation in excess of 17,000.

It’s likely that those using only 14 bits are running some version of MS Windows, and have not been patched following Microsoft’s Security Bulletin MS08-020 published in April this year. This bug was originally reported to Microsoft by my colleague Roy Arends.

Further investigation of the data even found one low volume client only using Query IDs in the range 0 - 127, a mere 7 bits of entropy!