iptables and bind
Kevin Darcy
kcd at chrysler.com
Tue Aug 12 04:53:09 UTC 2008
Paul A wrote:
> Hi, sorry if this has been asked before but will using iptables to randomize
> source ports further help prevent cache poison?
> I have a Bind 9 server that is and authoritative/cache server.
> Where can I find some examples of iptables rules being used with random
> port/rate limits?
> I tried using iptables with the random options but I get, iptables v1.2.11:
> Unknown arg `--random'.
>
> Using BIND 9.4.3b2 with iptables v1.2.11 on Centos 2.6.9-67.0.20.ELsmp.
>
According to http://www.iptables.org/news.html#2007-12-22 the port
randomization feature was added in iptables v1.3.8, which appears to be
later than the version you're running, and, other sources indicate that
the feature relies on kernel support available only in 2.6.22 or later.
But, even if hypothetically, you were to get iptables to randomize
source ports for you, the version of BIND you're running _already_
randomizes source ports, so re-randomizing using iptables will only help
prevent an attack if the iptables PRNG produces higher-quality (i.e.
less predictable) results than the PRNG that BIND uses. If both BIND and
iptables use the same source of entropy, then I don't see that you would
buy anything by implementing source-port randomization at the iptables
level, and you would pay a cost in terms of complexity and overhead.
(Caveat: I'm no crypto or entropy expert).
- Kevin
More information about the bind-users
mailing list