Query ID Pool

BIND uses random query ID numbers to match queries and answers and to make spoofing answers more difficult. This is somewhat similar to the sequence numbers used in TCP, if you're familiar with that. In any case, the more random this number is, and the less the numbers are reused due to poor randomness, the better. BIND can, at the cost of 128KB, increase the randomness of the query IDs by keeping track of which numbers have been used and to which the answer is still outstanding. The use-id-pool option, set to off by default, enables this:

 options {     …     use-id-pool yes;     … }; 

BIND 9 enhances its random number generator, and is capable of retrieving randomness from the OS. The BSDs and Linux, for example, have a special random device /dev/random and /dev/urandom which gathers randomness from the whole OS and which is used by the TCP/IP stack to generate very good randomness for TCP sequence numbers. BIND can gather randomness from these devices:

 options {     …     random-device "/dev/urandom";     random-seed-file "/var/named/random-seed";     … }; 

These options are new to BIND 9.0.0rc1 and completely undocumented. Please check the documentation available to you when you read this, especially the ARM and the named.conf man page. It might have revealing things to say about this feature and its use.

On Linux and the BSDs, the /dev/random device blocks the reader if the randomness is running thin. The /dev/urandom device, on the other hand, does not block the reader even if that is the case. Even if it is running thin, the kernel will deliver good randomness through these devices, and the use of the id-pool will help even more.