PNAT vs. vuln.
Barry Margolin
barmar at alum.mit.edu
Sun Jul 20 00:22:26 UTC 2008
In article <g5tae1$2pud$1 at sf1.isc.org>,
Chris Buxton <cbuxton at menandmice.com> wrote:
> On Jul 19, 2008, at 10:13 AM, David Carmean wrote:
> > So does standard PNAT just negate any advantage given by the
> > recent patches? Or is there more to it than just source port
> > randomness.
>
> If by PNAT you mean port mapping by a NAT device, the answer is often
> yes. It depends on the implementation. For example, Linux iptables
> does not appear to cause problems.
>
> The problem here is that, in masquerading the outbound IP of the
> query, the NAT device may also change the outbound source port, often
> using a predictable sequence. Or it may change all outbound queries to
> use the same port.
Indeed, if you have Comcast HSI service, try using the DNS test site and
you often get a warning that all the source ports are within a small
range, possibly due to a firewall or NAT. Comcast admins insist that
they've installed the patch.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list