Risks of patched servers behind de-randomizing NAT

Jeff Lightner jlightner at water.com
Fri Aug 1 13:10:26 UTC 2008


Interesting.   There's an EOL for this but it shows they're still
selling it through July 2008 and shipping through October 2008.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/
ps2031/prod_eol_notice0900aecd80731dec.html

Apparently it's still supported - you just haven't paid for the support.
The big guys make a lot of their money on paid support.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Kirk
Sent: Friday, August 01, 2008 7:43 AM
To: Mark Andrews; bind-users
Subject: Re: Risks of patched servers behind de-randomizing NAT

Mark Andrews wrote:
>> David Carmean pisze:
>>> I seem to have lost a message where somebody from ISC (Paul?) was
going to
>>> release an updated/new advisory regarding the source-port
de-randomizing
>>> effects of many NAT implementations will have upon patched servers.

>> But why someone puts a DNS server behind a NAT? It's a bit
nonsensical...
> 
> 	There are lots of reasons to put a recursive server behind
> 	a NAT.  It's something that just "should work" and does if
> 	you arn't trying to introduce entroy by randomising ports.
> 
> 	Note. Not all NATs have bad behaviours in this respect.  Some
try
> 	to preserve the internal port.
> 
> 	MArk
> 	


This is slightly off topic.  However, I thought it appropriate to share.

At home I have two recursive servers sitting on a private lan behind a 
Cisco PIX 501.  These servers are mostly to play with, but also provides

recursion to all the nodes in my house.

After upgrading these servers to the latest patched version of BIND, I 
tried the porttest query to test randomization.  Well, both got POOR 
ratings.  This led me to believe that my PIX was the culprit.

Last night, I spent close to 30 with the Cisco help desk trying to get 
assistance, only to find that because my unit was out of warranty and I 
had no contract, they could be of no help.  They suggested  I open a 
"web-help" ticket with Cisco.  This also returned no help for the same 
reason.  Also, my appliance is already at the highest code OS leve.

I guess those of us who purchased Cisco products that are out of 
warranty and under no contract are at risk until we purchase some new 
appliance.

http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Sorry for the rant, but it "seemed" sort of appropriate here in this
thread.

- Kirk
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


More information about the bind-users mailing list