BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests

Sten Carlsen ccc2716 at vip.cybercity.dk
Tue Jul 15 15:10:48 UTC 2008


Just to clutter things more up: if this is behind a NAT, that NAT will 
in most cases change the outgoing port numbers and doing that will 
either save the day or undo the whole purpose of this exercise depending 
on the inner workings of that device.

Jeff Lightner wrote:
> You can use tcpdump to see which ports are actually being used.
>
> Of course now I need to go verify the random ports I saw were actually
> more than 16...
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Gross, Jason D
> Sent: Monday, July 14, 2008 6:06 PM
> To: bind-users at isc.org
> Subject: RE: BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests
>
> So...a false sense of security it is.
>
> Thanks for the quick responses.
>
> ---------------------------------------------------------------------
> Jason Gross
> Network & Communications Services
> Platform Engineering & Operations Services
> Information Management
> United Space Alliance
>
> grossjd at usa-spaceops.com
> V: (321) 799-6601  F: (321) 799-5970
>
>
> -----Original Message-----
> From: Jeremy C. Reed [mailto:Jeremy_Reed at isc.org] 
> Sent: Monday, July 14, 2008 5:56 PM
> To: Gross, Jason D
> Cc: bind-users at isc.org
> Subject: Re: BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests
>
> On Mon, 14 Jul 2008, Gross, Jason D wrote:
>
>   
>> This might fit in the "too dumb to ask" bucket, but if my BIND servers
>>     
>
>   
>> are already passing the DNS-OARC and Doxpara checks, does that mean 
>> that my servers don't to be patched as urgently as a server that 
>> doesn't pass or are my servers as vulnerable as any other unpatched 
>> server? I do intend to patch, I'm just curious if I'm relatively safe 
>> or if I'm just getting a false sense of security.
>>
>> My feeling is that it's probably a false sense of security.
>>     
>
> See the 9.5.0 ARM: "If port is * or is omitted, a pool of random
> unprivileged ports will be used." By default there are eight random
> ports which are
> recreated every 15 minutes. So that was good enough to trick those
> tests.
>
> Note that the queryport options will be obsoleted in 9.5.1 which uses a
> random source port for every query.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 



More information about the bind-users mailing list