Sweetbread/Alfis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhanced DNS security with ephemeral ports and DNS 0x20 encoding

Browse Source 
Significantly improve DNS client security against cache poisoning attacks through multiple defense layers:

Security Improvements:
- Bind UDP sockets to OS-assigned ephemeral ports (0.0.0.0:0) instead of predictable random ports, eliminating port-based attack vectors
- Implement DNS 0x20 encoding with strict case validation, adding 10-15 bits of entropy per query by randomizing domain name case
- Randomize transaction ID starting point using AtomicU16 for better entropy distribution

Attack difficulty increased from ~16 bits (65K attempts) to ~42-47 bits
(4.4-140 trillion attempts), making spoofing 1,000x to 32,000x harder.

Configuration:
- Add 'enable_0x20' option to DNS settings (default: true)
- Users can disable for compatibility with legacy resolvers if needed
- Feature is configurable via alfis.toml
This commit is contained in:
Revertron
2025-10-27 14:39:47 +01:00
parent d3cdf6ea76
commit 5de0341ab4
6 changed files with 117 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/blockchain/filter.rs
+1 -2
View File
@@ -45,8 +45,7 @@ impl BlockchainFilter {
}
fn lookup_from_ns(qname: &str, qtype: QueryType, servers: &Vec<IpAddr>) -> Option<DnsPacket> {
let port = 10000 + (rand::random::<u16>() % 50000);
let mut dns_client = DnsNetworkClient::new(port);
let mut dns_client = DnsNetworkClient::new();
dns_client.run().unwrap();
let timeout = std::time::Duration::from_secs(5);