Menu
▾
▴
[Pydns-developer] TID
|
From: Stuart D. G. <st...@bm...> - 2008-05-05 03:52:04
|
I recently added a simple TID to pydns (Base.py:62) because certain firewalls
refuse to pass DNS requests with duplicate TID that have been responded to
(seems too smart for their own good to me). Previously, pydns always put 0 in
TID.
I used a simple random number - not at all cryptographically strong. I didn't
think it mattered much for pyspf - the cache is only kept for one MAIL FROM,
and the worst an attacker can do is cause a false positive or negative via
cache poisoning. However, with targeted phishing attacks, this could become
important.
What is a good but simple source of TIDs that are unpredictable to an
attacker? I could use SystemRandom (which uses /dev/urandom or equivalent),
but that is not available on all systems. I suppose use SystemRandom, and use
the default if not available. (Mersenne Twister with system time as seed - and
netscape learned the hard way that current time makes a terrible random seed
for crypto purposes.)
I also thought about efficiency. (Although this has already been
addressed in dnspython and twisted, pydns is very lightweight, and
if improving it keeps it that way, all the better.)
Currently, a fresh socket is created for each DNS request. This keeps
the logic simple, but creates a lot of sockets (and they depend on Cpython
reference counting to get closed in a timely manner). I wonder if a
connection pool would be worthwhile.
--
Stuart D. Gathman <st...@bm...>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
|
