dns exploit

Chris Buxton cbuxton at menandmice.com
Sat Jul 26 06:43:56 UTC 2008


I'm not exactly sure what you said, but I do know that if your  
firewall or port forwarder is changing the source ports of outbound  
queries to be something predictable, or to be all the same, then you  
have a problem. The patch on your name server is not enough - you also  
have to fix your firewall.

Linux iptables does not appear to change source ports.

Chris Buxton
Professional Services
Men & Mice

On Jul 25, 2008, at 11:30 PM, Brian Keefer wrote:

> I just looked at it a bit more closely...
>
> I'm using OpenBSD for my firewall and my nameservers.  The firewall  
> is 3.5, the nameservers are 4.3.  The firewall is just doing  
> standard PF nat for outbound requests.  Whether I used the doxpara  
> tool, or dns-oarc the source ports from my recursive resolver were  
> the same (pre-patch), but on the external interface of my firewall,  
> the packets to doxpara did not get randomized ports, while those to  
> dns-oarc did.  Post-patch the resolver itself has random source  
> ports, so it's moot.
>
> There have been several suggestions for writing PF nat statements to  
> cover this vulnerability, and other folks supposedly had luck with  
> them, so perhaps something changed with PF's randomization since  
> 3.5?  I haven't had enough spare time to comb the commit comments...
>
> Dan did mention something in his blog about not having updated his  
> tool to account for iptables or PF randomization, but I'm not sure  
> why the tool being able to force the same source port is a bug with  
> his script rather than a way to defeat said packet filter  
> randomization...
>
> Brian Keefer
> Sr. Systems Engineer
> www.Proofpoint.com
> "Defend email.  Protect data."
>



More information about the bind-users mailing list