iptables and bind

Kevin Darcy kcd at chrysler.com
Tue Aug 12 04:53:09 UTC 2008


Paul A wrote:
> Hi, sorry if this has been asked before but will using iptables to randomize
> source ports further help prevent cache poison?
> I have a Bind 9 server that is and authoritative/cache server.
> Where can I find some examples of iptables rules being used with random
> port/rate limits?
> I tried using iptables with the random options but I get, iptables v1.2.11:
> Unknown arg `--random'.
>
> Using BIND 9.4.3b2 with iptables v1.2.11 on Centos 2.6.9-67.0.20.ELsmp.
>   
According to http://www.iptables.org/news.html#2007-12-22 the port 
randomization feature was added in iptables v1.3.8, which appears to be 
later than the version you're running, and, other sources indicate that 
the feature relies on kernel support available only in 2.6.22 or later.

But, even if hypothetically, you were to get iptables to randomize 
source ports for you, the version of BIND you're running _already_ 
randomizes source ports, so re-randomizing using iptables will only help 
prevent an attack if the iptables PRNG produces higher-quality (i.e. 
less predictable) results than the PRNG that BIND uses. If both BIND and 
iptables use the same source of entropy, then I don't see that you would 
buy anything by implementing source-port randomization at the iptables 
level, and you would pay a cost in terms of complexity and overhead.

(Caveat: I'm no crypto or entropy expert).

                                                                         
                  - Kevin



More information about the bind-users mailing list