BIND ignores queries from specific privileged source ports

Mark Andrews marka at isc.org
Mon Jun 10 21:29:46 UTC 2019


The primary issue here is that 
there is still source address spoofing happening so you have to consider what if this packet was spoofed. DNS uses UDP and is used as a reflector. The small services ports listed generate reply traffic. 

Additionally kpasswd and a DNS server can generate a self sustaining traffic loop if it is not suppressed.

As for the NAT box that chooses those ports.  If you can’t keep the original port it should choose a ephemeral port at random. Choosing a well known port is problematic for lots of reasons. There are ~63500 ephemeral ports. Adding the well known ports into the mix of source ports doesn’t significantly improve anything.  If you look at IETF documents for CGNs they say to not use the lower 1024 ports. 
-- 
Mark Andrews

> On 11 Jun 2019, at 05:44, Warren Kumari <warren at kumari.net> wrote:
> 
> On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users
> <bind-users at lists.isc.org> wrote:
>> 
>>> On 6/7/19 8:44 PM, Mark Andrews wrote:
>>> Named drops those ports as they can be used in reflection attacks.
>>> Sane NAT developers avoid those ports for just that reason.  The full
>>> list is below.
>> 
>> I understand the logic behind avoiding potentially problematic ports.
>> 
>> But I don't understand the actual attack scenario.  Is the attack
>> against the BIND server?
> 
> The root problem is cache poisoning -- see "The Hitchhiker’s Guide to
> DNS Cache Poisoning" Section 3.2 Blind response forgery using birthday
> attack ( https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf )
> for a reasonable writeup.
> It's unclear how much protection using the additional port space
> actually helps in practice, but...
> 
> There are many other mitigations, and the "right" answer is "just use DNSSEC".
> 
> W
> 
>> I.e. in an attempt to cause BIND to establish
>> a never ending loop of packets between itself and the purported address?
>>  Or is this an attempt to cause BIND to attack a spoofed source with
>> said loop?
>> 
>> Nor do I understand why BIND couldn't differentiate between an actual
>> query vs a reflected reply, daytime response, chargen, or time packet.
>> 
>> Will someone please explain what I'm failing to understand?
>> 
>> 
>> 
>> --
>> Grant. . . .
>> unix || die
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>   ---maf
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list