Nintendo: 3DS DNS Client Resolver Library Uses Predictable TXID
I bought a New Nintendo 3DS XL (US) with firmware 11.2.0-35U, and I've noticed that that DNS client resolved on the 3DS uses a simple incrementing TXID for lookups. This does not provide enough entropy to prevent remote attackers from spoofing responses. (For example, see MS08-020 when this happened to Microsoft, although theirs was just not very random, yours is just incrementing so it's even worse). Note: this can also work behind NAT, because that just session matches and UDP has no ISN to verify.
In general, you need an unpredictable src port (16 bits) and dns txid (16 bits) to prevent a remote attacker from spoofing responses.
An example attack scenario would be someone using the browser to visit attacker.com.
User visits attacker.com
Attacker forces a lookup to asdad839qd.attacker.com via or whatever.
Now attacker can guess your resolver, etc.
Attacker create an