kdig TCP source ports are not randomized on Linux 4.9 and 4.14
I'm using the linux kernel (tested on 4.9 and 4.14)
if i do a UDP query twice:
for x in a a; do kdig @18.104.22.168 example.com; done
then the source ports are not obviously related to one another (they appear to be randomized).
But if i use TCP:
for x in a a; do kdig +tcp @22.214.171.124 example.com; done
the the source ports are sequential (the source port of the two queries are N and N+2).
If i ask kdig to
bind() explicitly (even without an explicit address):
for x in a a; do kdig +tcp -b 0.0.0.0 @126.96.36.199 example.com; done
then the source ports again appear to be randomized.
So it looks like
bind() forces unpredictable source ports.
Unpredictable source ports are useful for UDP to increase the entropy against an off-path attacker. For TCP, this isn't as important, because of the TCP handshake.
However, predictable source ports potentially problematic in other ways, including that they leak information about other activity on the client.
It would be better to ensure all source ports are always randomized.
one option would be to try to get the kernel to always randomize ports, but we can't assume the kernel has that fixed. a more reliable fix would be for kdig to deliberately always
bind(), even when using TCP.