Insufficient DNS Source Port Randmoization

Matus UHLAR - fantomas uhlar at
Thu Jul 28 07:41:09 UTC 2011

On 28.07.11 15:33, Pete Fong wrote:
>My Linux is OpenSuSE 11.4 with Kernel which is used for
>DNS server. I have installed bind-9.7.3P3-0.2.1
>Our external auditor used "NeXpose" for scanning my system. It showed
>"Insufficient DNS Source Port Randomization Vulnerability".

The insufficient randomization was afaik fixed in 9.5.0.

> Therefore
>I have followed BIND 9 Configuration Reference Guide, I have adjusted
>named.conf configuration file as below :
>query-source address * port * ;
>query-source-v6 address * port *;
>use-v4-udp-ports { range 1024 65535; };
>use-v6-upd-ports ( range 1024 65535; };

Did you have these before? I think that BIND tries those ports by 
default, so configuring them should not affect it.

>But I am not lucky, The NeXpose software still showed the same
>vulnerability. Anybody has some issue ? Anybody can help me ?

Is your resolving server behind firewall? Does the firewall change 
source port?
Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool. 

More information about the bind-users mailing list