kdig TCP source ports are not randomized on Linux 4.9 and 4.14
I'm using the linux kernel (tested on 4.9 and 4.14)
if i do a UDP query twice:
for x in a a; do kdig @9.9.9.9 example.com; done
then the source ports are not obviously related to one another (they appear to be randomized).
But if i use TCP:
for x in a a; do kdig +tcp @9.9.9.9 example.com; done
the the source ports are sequential (the source port of the two queries are N and N+2).
If i ask kdig to bind()
explicitly (even without an explicit address):
for x in a a; do kdig +tcp -b 0.0.0.0 @9.9.9.9 example.com; done
then the source ports again appear to be randomized.
So it looks like bind()
forces unpredictable source ports.
Unpredictable source ports are useful for UDP to increase the entropy against an off-path attacker. For TCP, this isn't as important, because of the TCP handshake.
However, predictable source ports potentially problematic in other ways, including that they leak information about other activity on the client.
It would be better to ensure all source ports are always randomized.
one option would be to try to get the kernel to always randomize ports, but we can't assume the kernel has that fixed. a more reliable fix would be for kdig to deliberately always bind()
, even when using TCP.