- 최신
- 최다 투표
- 가장 많은 댓글
Source port randomization is a feature which clients use when querying DNS resolvers and which DNS resolvers use when querying DNS authorities. It is indeed a standard mitigation for cache poisoning. The Route 53 Resolver in your VPC, in common with pretty much all modern resolvers, does use source port randomization when querying authorities.
If you are very concerned about cache poisoning, you might also be interested in enabling DNSSEC validation in your VPC, which allows cryptographic validation of responses, if the domain you're querying is DNSSEC signed. See the Route 53 Resolver documentation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html
I would suggest being a little careful enabling DNSSEC validation. Occasionally third party public domains may have broken signatures. If that is the case, enabling DNSSEC validation will (by design) cause DNS resolution to fail for those domains.
