Vulnerability to cache poisoning -- the rest of the solution

Mon Jul 14 17:50:44 UTC 2008

Latter day "stateful" firewalls will keep track of UDP connections in
their state tables.

No firewall reconfig was needed after I applied the -P1 patch.

Dale Lakes
Network Engineer
Antares Management Solutions

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Jeff Lightner
Sent: Monday, July 14, 2008 1:10 PM
To: Peter Laws; bind-users at isc.org
Subject: RE: Vulnerability to cache poisoning -- the rest of the
solution

I understand the theory so was seeking positive confirmation on the
specific questions I asked which still haven't been answered.

Someone stated positively that I couldn't have had queries or transfers
working with port firewall restricted to port 53 so I was looking for
more information about that statement as obviously my BIND is working.

Separately I was then also asking for details about what should be
opened for recursive queries.  Is it udp only?  Tcp & udp?   Finally I
was asking for specific range information.   That is if I tell it random
does that mean it automatically goes to ports above 1024.  Further I
wanted to verify there wasn't anything in BIND that was restricting it
to a range as some applications do.   That is to say is it complete
random or random within a range? 

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Peter Laws
Sent: Monday, July 14, 2008 12:42 PM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> We were only allowing port 53 outside the firewall (confirmed by the
> Network folks).   We've been doing lookups for external sites fine
> despite that.   Was the discussion in current thread about that or
> something else?
> 

53, 42, 10999, 63215, doesn't make any difference.  But if it's always
53 
or anything else you make the attackers job easier (and they thank you
... 
or will on August 6).

> Also my Network admin is asking for clarification of what needs to be
> opened for the port randomization.   He thinks it should only be ports
> above 1024.

If it's running as named, obviously you'd be restricted to ports named 
could open, which are above 1024 generally.  Otherwise, it's
OS-dependent, 
AFAIK.  Seems to me Solaris will (or would in pre-10 days) only pick
32768 
or above though it could be changed.

-- 
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
----------------------------------

http://www.antaressolutions.com/
 Industry Expertise. Intelligent Solutions.  
Visit http://www.antaressolutions.com/
CONFIDENTIALITY NOTICE:
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure by law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from printing, storing, disseminating, distributing or copying this message. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature, unless a specific statement to the contrary is included in this message.
Thank you, Antares Management Solutions.